[gnutls-devel] GnuTLS | disabling client initiated renegotiation, disabling all renegotiation (#1252)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Mon Jul 5 22:11:26 CEST 2021

John created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1252

RFC5746 (2010) paragraph 5. Security Considerations:\
"Many servers can mitigate this attack simply by refusing to renegotiate at all."\
"TLS implementations SHOULD provide a mechanism to disable and enable renegotiation."

Users do not seem to have this option (e.g. %DISABLE_RENEGOTIATION).

After RFC 5746 was published, DoS attacks, tools and papers were published regarding abuse of TLS renegotiation.

Guidelines from security institutes call for disabling of client initiated renegotiation on servers to protect against attacks known and unknown. Users should have the option to do this. (e.g. %DISABLE_CLIENT_RENEGOTIATION).

Servers do not need renegotiation when TLS sessions are short lived, for example small mail servers.

%DISABLE_RENEGOTIATION: disable all renegotiation\
%DISABLE_CLIENT_RENEGOTIATION: disable all client initiated renegotiation

Existing related settings:\
%PARTIAL_RENEGOTIATION [default]: allows safe renegotiation only (RFC5746)\
%DISABLE_SAFE_RENEGOTIATION: disable safe renegotiation extension (RFC5746)\
%UNSAFE_RENEGOTIATION: allow non-safe renegotiation (RFC5746)

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1252
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20210705/6e1d92c0/attachment.html>

More information about the Gnutls-devel mailing list