[gnutls-help] disable renogotiation

Jeremy Harris jgh at wizmail.org
Wed Jun 16 13:34:14 CEST 2021


On 16/06/2021 11:15, John wrote:
> Is there a way in Gnutls to disable renogotiation on TLS and a way to disable client initiated secure renegotiation?

https://gnutls.org/manual/html_node/Safe-renegotiation.html#Safe-renegotiation

"It is possible to disable use of the extension completely, in both clients and servers, by using the %DISABLE_SAFE_RENEGOTIATION priority string however we strongly recommend you to only do this for debugging and test purposes."

> 
> This is useful to harden the server. For example Exim4+Gnutls on Debian 10. There does not seem to be a need to support renegotiation or resumption on a mail server, because STARTTLS sessions are set up in each SMTP session. Disabling renegotiation reduces the attack surface.

Resumption is a different kettle of fish, but since it wasn't enabled in
the most-recent Exim release I doubt that Debian's build it up.
Even if they did, the project coding has it not enabled until you do so
explicitly in config.  As for need, if you're repeatedly connecting the
same pair of hosts, resumption saves cpu cycles.
-- 
Cheers,
   Jeremy



More information about the Gnutls-help mailing list