[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Draft release notes for 2.10.0
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
Re: Draft release notes for 2.10.0 |
|
Date: |
Thu, 22 Apr 2010 14:29:16 +0300 |
On Thu, Apr 22, 2010 at 10:17 AM, Simon Josefsson <address@hidden> wrote:
Hi,
> We need to write a section about the new TLS safe renegotiation support,
> and ideas on what to write here is appreciated. I think we need to
> point to other documents explaining the problem, and describe what this
> release adds to mitigate the problem. And describe our semantics when
> talking with old servers...
A proper discussion would be more proper in the documentation rather
in the release notes.
A quick note might say that gnutls implements the TLS safe
renegotiation counter-measures as described in RFC5746, against a
plaintext injection attack that affects TLS as is currently used by
HTTP(S) protocol. More information about the vulnerability at
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555.
Unfortunately fully deployment of the solution requires breaking
backwards compatibility with older servers and clients. For that
reason gnutls enables it but does not enforce its security features
unless the peer also supports safe renegotiation, to maintain
compatibility with existing software. This decision will be
reconsidered once the majority of internet servers/clients that use
TLS have adopted safe renegotiation.
> ** libgnutls: Added cryptodev support (/dev/crypto).
> Tested with http://www.logix.cz/michal/devel/cryptodev/. Added
[...]
Please use this link for the release notes:
http://home.gna.org/cryptodev-linux/
regards,
Nikos