Another renegotiation patch

Tomas Hoger thoger at redhat.com
Sat Feb 27 17:30:24 CET 2010


Hi Nikos!

On Fri, 26 Feb 2010 18:58:17 +0100 Nikos Mavrogiannopoulos wrote:

> > Can you have a look at the attached diff.  It moves GNUTLS_CLIENT
> > test, so that the "Allowing/Denying unsafe initial negotiation"
> > message is logged instead of "Allowing/Denying unsafe
> > renegotiation" on initial client connection.
> 
> Hmmm... actually a client cannot tell if it is a renegotiation or an
> initial connection. That's why this message is there.

Client can't tell if server sees that negotiation as initial or
rehandshake, but it's initial negotiation as seen by client.  Moving
the entity == client check a bit just changes a gnutls debug message
and causes client not to send no_renegotiation warning.

> Alerts are send by the application using
> gnutls_alert_send_appropriate() - or gnutls_alert_send().

Ok, thanks for clarification.

> > I'd also consider removing %INITIAL_SAFE_RENEGOTIATION from
> > gnutls-cli.1 (always enforced) and mention client/server defaults in
> > gnutls_priority_init.3.  Should I try submitting changes proposal?
> 
> It is now always enforced but will not be the default after the
> renegotiation protection is common practice.

May I ask why?  The current default is to be strict on client side
regardless of the interoprability issues with unupgraded servers.  Why
should the default change in the future to the less strict one, even
though fewer servers are expected to require it at that time?

th.





More information about the Gnutls-devel mailing list