safe renegotiation in client side

Nikos Mavrogiannopoulos nmav at
Tue Mar 16 15:48:06 CET 2010

On Tue, Mar 16, 2010 at 1:02 PM, Simon Josefsson <simon at> wrote:

> I'll do some experiments with 2.9.10 on my machine... maybe best to get
> a release out first though.

At least in my system I couldn't do basic stuff (use svn over ssl) and
couldn't find any
fix for those (except changing gnutls). I no longer use openldap to
login in my system, but
I remember this also doesn't provide access to priority strings, which
would also cause a denial of
service. I'm also leaning towards having the first releases without
enforced safe renegotiation and
enforcing it at a later time that does not cause more trouble than it solves.

Debug strings warning about that are now being printed via the gnutls
logging, but are not visible
in most applications (and even if it was might not offer any
information to a typical user since it
will be issued for almost every server today). What we can do is add a
warning on the gnutls-cli
if the server does not support safe renegotiation? (gnutls-cli-debug
can also detect that).


More information about the Gnutls-devel mailing list