Another renegotiation patch

Tomas Hoger thoger at
Wed Feb 24 17:06:48 CET 2010

On Thu, 18 Feb 2010 15:04:55 +0100 Tomas Hoger <thoger at>

> Looks like the current behavior is intentional:

Can you have a look at the attached diff.  It moves GNUTLS_CLIENT test,
so that the "Allowing/Denying unsafe initial negotiation" message is
logged instead of "Allowing/Denying unsafe renegotiation" on initial
client connection.

It also add HANDSHAKE_FAILURE alert for unsafe initial negotiation
(client), which is required by RFC 5746, 4.1.  Though I'm wondering if
this is the right place to generate this alert.  If gnutls-serv refuses
initial connection from the unpatched client, HANDSHAKE_FAILURE alert
is generated, but it's from application rather than library.  Should
those alerts be generated by applications or library?

I'd also consider removing %INITIAL_SAFE_RENEGOTIATION from
gnutls-cli.1 (always enforced) and mention client/server defaults in
gnutls_priority_init.3.  Should I try submitting changes proposal?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: gnutls-hsfail-alert.diff
Type: text/x-patch
Size: 1500 bytes
Desc: not available
URL: </pipermail/attachments/20100224/071b8c63/attachment.bin>

More information about the Gnutls-devel mailing list