[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: safe renegotiation bug?
From: |
Tomas Mraz |
Subject: |
Re: safe renegotiation bug? |
Date: |
Fri, 28 May 2010 09:58:04 +0200 |
On Fri, 2010-05-28 at 09:48 +0200, Simon Josefsson wrote:
> Nikos Mavrogiannopoulos <address@hidden> writes:
>
> > Simon Josefsson wrote:
> >
> >>>>> Should be ok now. I get aborts in the srn5 but they seem intended?
> >>>> I fixed that now -- however it seems there is another problem, now the
> >>>> rehandshake succeeds against a server that doesn't support safe
> >>>> renegotiation. The second handshake in srn5 should fail, shouldn't it?
> >>> By default server is on unsafe renegotiation mode and doesn't require
> >>> any of the extensions, either on the first or subsequent negotiations.
> >>> Disallowing rengotiations after this point for the client shouldn't
> >>> offer any advantage since you are already connected securely to a peer.
> >>
> >> But this self tests is with a server that has safe renegotiation
> >> disabled, see tests/safe-renegotiation/srn5.c.
> >>
> >> The client by default permits connections, but I don't think clients
> >> should (by default) allow renegotiation against such servers.
> >
> > Why?
>
> To me it was more that I couldn't answer 'Why not?'. I'm not sure what
> the balance should be. We already decided that (by default) we can't
> disable everything we know is insecure due to interop, so decisions
> whether to enable/disable other things by default is subjective.
>
> NSS does not allow upgraded clients to renegotiate with unupgraded
> servers, see: https://developer.mozilla.org/NSS_3.12.6_release_notes
Note that the same decision was made also by OpenSSL developers.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
- safe renegotiation bug?, Simon Josefsson, 2010/05/22
- Re: safe renegotiation bug?, Nikos Mavrogiannopoulos, 2010/05/22
- Re: safe renegotiation bug?, Simon Josefsson, 2010/05/22
- Re: safe renegotiation bug?, Nikos Mavrogiannopoulos, 2010/05/22
- Re: safe renegotiation bug?, Simon Josefsson, 2010/05/28
- Re: safe renegotiation bug?, Nikos Mavrogiannopoulos, 2010/05/28
- Re: safe renegotiation bug?, Simon Josefsson, 2010/05/28
- Re: safe renegotiation bug?,
Tomas Mraz <=
- Re: safe renegotiation bug?, Nikos Mavrogiannopoulos, 2010/05/28
- Re: safe renegotiation bug?, Tomas Mraz, 2010/05/28
- Re: safe renegotiation bug?, Nikos Mavrogiannopoulos, 2010/05/28
- Re: safe renegotiation bug?, Simon Josefsson, 2010/05/31
- Re: safe renegotiation bug?, Nikos Mavrogiannopoulos, 2010/05/31
- Re: safe renegotiation bug?, Simon Josefsson, 2010/05/31
- Re: safe renegotiation bug?, Nikos Mavrogiannopoulos, 2010/05/31