Re: confirmation that debian #480041 is a gnutls problem, and steps to reproduce

[Joe Orton]

On Fri, Nov 21, 2008 at 11:58:36AM -0500, Daniel Kahn Gillmor wrote:
> On Fri 2008-11-21 02:24:02 -0500, Nikos Mavrogiannopoulos wrote:
> 
> > Hello, this does not seem to be a gnutls error. The server merely asks
> > for renegotiation, gnutls-cli ignores it (legal behavior) and server
> > does not like it thus sends a fatal alert.
> 
> Do you think this is exposing a bug in mod_ssl, then?  If it is legal
> behavior to ignore a renegotiation, it seems to me that
> SSLVerifyClient optional should not cause the server to terminate the
> connection if a rehandshake is rejected.  Should we clone this bug, or
> open a new report against apache or openssl?

IIUC what will happen in this case is that mod_ssl puts OpenSSL into the 
state where it expects a full handshake - if it receives any app_data 
packets OpenSSL treats thas a hard failure.  And slso IIUC - this 
results in the server sending a ChangeCipherSpec message on the wire - 
and the client has no option to ignore that in TLS, right?

joe