Safe renegotiation patch

Nikos Mavrogiannopoulos nmav at
Mon Jan 11 23:11:44 CET 2010

Steve Dispensa wrote:

>> Why this one is needed? Shouldn't all initial negotiations be accepted
>> and fail only if renegotiation
>> is requested? I believe this was the behavior of your previous patch.
> A totally strict server may not want to allow unpatched clients, since
> those clients are unable to tell if they're being attacked. I defaulted
> it to off to be conservative from a security perspective.

I understand. However this will make the new release non-interoperable
with anything else existing. Thus for now I believe this should be
allowed and at a later point that secure renegotiation is common
practice that should be by default off.


More information about the Gnutls-devel mailing list