Another renegotiation patch

Nikos Mavrogiannopoulos nmav at gnutls.org
Sun Feb 21 09:55:33 CET 2010 

Tomas Hoger wrote:

>>> - gnutls-cli invoked with --disable-extensions still sends hello
>>> with extensions.
>> This is actually an unrelated issue -- the parameter doesn't disable
>> all extensions even on 2.8.x.
> 
> That's possible, I did not get to figure out why it does not work.
> I just tried to use it to force GnuTLS to use SCSV in TLS hellos.

Actually the disable-extensions option has no effect on the library
itself. It is only for gnutls-cli to use some extensions or not. That is
why it doesn't affect the SCSV. It is now only send when using SSL 3.0.
I don't know how many servers do not work with extensions today, but if
it proves to be a problem we might add sending it when the %COMPAT flag
is given.

>>> - gnutls-cli fails to connect to servers not implementing RFC 5746.
>>>   While this is required to fully address the issue on the client
>>>   side, it's likely to cause major issues in short term.
>>>   gnutls-cli(1) suggests safe initial negotiation should not be
>>>   required by default (see %INITIAL_SAFE_RENEGOTIATION),
>>>   %UNSAFE_RENEGOTIATION is required to connect.
>>>   Note: Both OpenSSL and NSS will not require safe initial
>>>   negotiation yet for interoperability reasons.
>> Nikos, Steve, what do you think here?
> 
> Looks like the current behavior is intentional:
> 
> http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=2a10542bf8f7cfbd5e6a4b17c8d502133da93fc5
> 
> I appologize for missing it previously.

Indeed the option was to be as secure by default on the client side, and
backwards compatible on the server side (server is not really affected,
but he could protect - by denying access - to clients that don't support
secure renegotiation).

>> My preference is to not reject these servers, because the
>> vulnerability exists theoretically in earlier GnuTLS versions anyway
>> but because of the GnuTLS API is different from OpenSSL/NSS most if
>> not all GnuTLS applications are not affected by this (renegotiation
>> will fail with the majority of GnuTLS applications).
> 
> The above commit message should cover these too.  I see NEWS explicitly
> mentions that clients need to use %UNSAFE_RENEGOTIATION.  You may still
> wish to emphasize that in the release announcements.

I think it is good practice to warn the user about an insecure server
and let him force the unsafe_renegotiation flag.

regards,
Nikos

More information about the Gnutls-devel mailing list