gnutls-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

safe renegotiation


From: Simon Josefsson
Subject: safe renegotiation
Date: Thu, 29 Apr 2010 10:16:07 +0200
User-agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.1 (gnu/linux)

I've tested the safe renegotiation stuff a bit more, and I believe we
could tweak the defaults to make them slightly more secure: let
%SAFE_RENEGOTIATION be the default for servers.

This means that servers will refuse to RE-negotiate against clients that
does not support the extension.

We surveyed GnuTLS server applications earlier, and found that none of
them (except one) supported TLS renegotiation at all.  The impact of
this change should be minimal.

The odd package is mod_gnutls for Apache, but it exposes a priority
string interface to the administrator, thus allowing them to override
the behaviour easily -- however we should recommend that they don't,
because it is really insecure.

Thoughts?  Objections?

/Simon




reply via email to

[Prev in Thread] Current Thread [Next in Thread]