As you may have noticed there was a big fuss lately about a bug in the TLS protocol that could cause a client to connect to the wrong server via a renegotiation. There is a fix to the protocol that is unfortunately incompatible with previous versions (if security is required). Thus a gnutls client implementing the fix cannot connect to any non-patched server[0]. To achieve compatibility one has to to explicitly allow unsafe renegotiation with a priority string. This is not always possible since gnutls might be used unintentionally by a program via another library.
With some trials in my system I noticed that the current behavior causes denial of service and a simple user might not even have control over the priority string for gnutls. Given your experiences (as system packager, user, implementor or so), what do you think is the adoption of priority strings in programs? Given a program that uses gnutls is it easy to set a string with the algorithms etc. needed for the negotiation? I have been in favor of enabling safe renegotiation for the client before, but seeing how gnutls is being used today, I might have not been correct and enabling it might cause more trouble than the issue it solves. Please let me know of what you think. regards, Nikos [0]. so far the fix adoption wasn't that great. _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
