[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: safe renegotiation bug?
From: |
Simon Josefsson |
Subject: |
Re: safe renegotiation bug? |
Date: |
Tue, 01 Jun 2010 16:25:48 +0200 |
User-agent: |
Gnus/5.110011 (No Gnus v0.11) Emacs/23.1 (gnu/linux) |
Nikos Mavrogiannopoulos <address@hidden> writes:
> Simon Josefsson wrote:
>
>>>> What do you think about this approach?
>>> As a concept I agree... The only problem might be that
>>> %PARTIAL_RENEGOTIATION might be misleading in client side because it
>>> doesn't really protect from the https renegotiation attack, but this can
>>> be made clear in the documentation. I'll try to check it today.
>>
>> Right, PARTIAL_RENEGOTIATION is the trade-off approach that is
>> vulnerable to some attacks but at least allows interop to happen. I
>> think we have some good warning material in the manual already for this.
>>
>> It would be great if you could make modifications to make this happen.
>> I can update the self tests to make sure it is working as we want it to.
>> Alas I'll be travelling in the next few days, but I'll have some
>> connectivity and can do a 2.9.11 release.
>
> Should be ok now. I needed to make some changes in srn5 in order to
> work. Please check them because I might have not understand what it
> does. It might be better to have a small text that documents what each
> srn?.c is testing for. Otherwise if it fails it is difficult to
> understand why and what went wrong.
Thanks! I'll take a look later this week -- there is
tests/safe-rengotiation/README which attempts to describe the tests, but
it may not be completely updated.
It may be that some of the srn?.c tests are not relevant any more.
/Simon