[gnutls-help] disable renegotiation

John johnbast at protonmail.com
Thu Jun 24 21:09:05 CEST 2021


Asking my question again to those who know:
Is there currently a way in Gnutls to disable renegotiation on TLS and a way to disable client initiated secure renegotiation?

The option to disabling renegotiation is mentioned in RFC5746:
RFC5746: "TLS implementations SHOULD provide a mechanism to disable and enable renegotiation."

RFC5746: "Many servers can mitigate this attack simply by refusing to renegotiate at all."

For this to work, developers and/or users needs to be able to refuse client initiated renegotiation.

An user configurable implementation could have:
%DISABLE_RENEGOTIATION
%DISABLE_CLIENT_RENEGOTIATION

I am aware of the option to disable safe renegotiation. That seems to be limited to disabling safe renegotiation, which would likely leave the server vulnerable.

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20210624/8a7e8e26/attachment.html>


More information about the Gnutls-help mailing list