On 16/06/2021 11:15, John wrote:
Is there a way in Gnutls to disable renogotiation on TLS and a way to disable client initiated secure renegotiation?
https://gnutls.org/manual/html_node/Safe-renegotiation.html#Safe-renegotiation "It is possible to disable use of the extension completely, in both clients and servers, by using the %DISABLE_SAFE_RENEGOTIATION priority string however we strongly recommend you to only do this for debugging and test purposes."
This is useful to harden the server. For example Exim4+Gnutls on Debian 10. There does not seem to be a need to support renegotiation or resumption on a mail server, because STARTTLS sessions are set up in each SMTP session. Disabling renegotiation reduces the attack surface.
Resumption is a different kettle of fish, but since it wasn't enabled in the most-recent Exim release I doubt that Debian's build it up. Even if they did, the project coding has it not enabled until you do so explicitly in config. As for need, if you're repeatedly connecting the same pair of hosts, resumption saves cpu cycles. -- Cheers, Jeremy _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
