safe renegotiation

Tomas Hoger thoger at
Thu Apr 29 13:57:45 CEST 2010

On Thu, 29 Apr 2010 11:02:14 +0200 Nikos Mavrogiannopoulos wrote:

> This will actually harm mod_gnutls. Renegotiation is a common issue in
> HTTPS (for upgrading authentication using a certificate for certain
> locations).

Client certificate authentication should really be the only common use
case where renegotiation is really required with https.

> If people notice that no clients can connect on their servers will
> either install an older version of gnutls that "works" or just go to
> mod_ssl.

Anyone who goes to mod_ssl or mod_nss will face the same issue when
using new OpenSSL or NSS, as they both reject renegotiation with
unpatched clients.

mod_ssl got new config directive - SSLInsecureRenegotiation [1] -
allowing admins to let old clients renegotiate.  For mod_nss, you can
set NSS_SSL_ENABLE_RENEGOTIATION [2] environment variable to achieve
the similar result.  If mod_gnutls already has directive for setting
priority string, it can be an easy way to revert back to insecure
renegotiation for those who need it.



More information about the Gnutls-devel mailing list