TLS Renegotiation problem

Simon Josefsson simon at
Tue Nov 17 11:32:46 CET 2009

Simon Josefsson <simon at> writes:

> In GnuTLS, rehandshaking needs to be done explicitly by servers when
> they get the GNUTLS_E_REHANDSHAKE error back from gnutls_record_recv.
> If servers don't call gnutls_handshake when that happens, there is no
> problem.  So people can check their applications if they are vulnerable
> to this problem.

For everyone's information, searching for "GNUTLS_E_REHANDSHAKE" in code
is not be sufficient: that only takes care of the situation where the
local client reacts on a renegotiation request from the remote server.

You also have to search for "gnutls_rehandshake" to take care of the
situation where the local server initiates the renegotiation request.

I believe one still has to look carefully at each example to understand
whether a particular instance is vulnerable or not: not all instances of
TLS reneg appears vulnerable.  For example, a server could make sure
that before calling gnutls_rehandshake it reads all data coming from the
client and performs input sanitizing on it because there is no guarantee
that data comes from the same identity who performs the TLS rehandshake
and sends more data later on.


More information about the Gnutls-devel mailing list