[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: release
From: |
Simon Josefsson |
Subject: |
Re: release |
Date: |
Mon, 31 May 2010 19:23:35 +0200 |
User-agent: |
Gnus/5.110011 (No Gnus v0.11) Emacs/23.1 (gnu/linux) |
Nikos Mavrogiannopoulos <address@hidden> writes:
> Simon Josefsson wrote:
>> Simon Josefsson <address@hidden> writes:
>>
>>> Items left is to write and check the safe renegotiation self tests
>>> and to update the documentation section for it. I think there are bugs
>>> in both those parts right now, that's why I haven't made any releases.
>>
>> Nikos, I have updated the manual now to describe what I believe the
>> behaviour should be -- could you check that it matches your
>> interpretation?
>> Note that I'm not sure how %INITIAL_SAFE_RENEGOTIATION fits into this
>> picture.
> I've update it to include it. Check it and let me know if you agree.
Looks good, although I changed 'connections' to '(re-)handshakes' to be
more consistent with the rest of the section.
>> I also suspect we want a priority string (e.g. %PARTIAL_RENEGOTIATION)
>> to describe today's default behaviour of permitting initial handshakes
>> but not rehandshakes -- so that clients/servers can use it and be
>> forward-compatible even when/if we change the default to make
>> clients/servers refuse initial handshakes without the extension.
>
> I believe you are talking about the %SAFE_RENEGOTIATION string not
> enforcing the extension on every connection (negotiation or
> renegotiation). This is ok since the threat is not on the server. Server
> is not less secure without the extension. The SAFE_RENEGOTIATION flag
> on the server is there to protect the client and this protection should
> be during renegotiation according to the threat. The
> INITIAL_SAFE_RENEGOTIATION is there to enforce clients to upgrade, by
> denying access to them if they do not support the extension. It does not
> increase security on any of the client or server.
I think this makes sense.
I'll try to push out 2.9.11 tonight..
/Simon
- Re: release, Simon Josefsson, 2010/05/28
- Re: release, Nikos Mavrogiannopoulos, 2010/05/28
- Re: release,
Simon Josefsson <=