Another renegotiation patch
Tomas Hoger
thoger at redhat.com
Wed Feb 24 17:06:48 CET 2010
On Thu, 18 Feb 2010 15:04:55 +0100 Tomas Hoger <thoger at redhat.com>
wrote:
> Looks like the current behavior is intentional:
>
> http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=2a10542bf8f7cfbd5e6a4b17c8d502133da93fc5
Can you have a look at the attached diff. It moves GNUTLS_CLIENT test,
so that the "Allowing/Denying unsafe initial negotiation" message is
logged instead of "Allowing/Denying unsafe renegotiation" on initial
client connection.
It also add HANDSHAKE_FAILURE alert for unsafe initial negotiation
(client), which is required by RFC 5746, 4.1. Though I'm wondering if
this is the right place to generate this alert. If gnutls-serv refuses
initial connection from the unpatched client, HANDSHAKE_FAILURE alert
is generated, but it's from application rather than library. Should
those alerts be generated by applications or library?
I'd also consider removing %INITIAL_SAFE_RENEGOTIATION from
gnutls-cli.1 (always enforced) and mention client/server defaults in
gnutls_priority_init.3. Should I try submitting changes proposal?
th.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gnutls-hsfail-alert.diff
Type: text/x-patch
Size: 1500 bytes
Desc: not available
URL: </pipermail/attachments/20100224/071b8c63/attachment.bin>
More information about the Gnutls-devel
mailing list