help-gnutls
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: safe renegotiation in client side

From: Simon Josefsson
Subject: Re: safe renegotiation in client side
Date: Mon, 15 Mar 2010 23:38:05 +0100
User-agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.1 (gnu/linux) 
Nikos Mavrogiannopoulos <address@hidden> writes:

> I have been in favor of enabling safe renegotiation for the client
> before, but seeing how gnutls is being used today, I might have not been
> correct and enabling it might cause more trouble than the issue it solves.

I just had a thought, it may be wrong due to late at night...

Using safe renegotiation is only important if the client provides
credentials, right?

It sounds as if in your testing, GnuTLS clients were unable to talk to
any server, even if the clients didn't provide a client certificate.  Is
that right?

If that is the case, can't we make GnuTLS accept talking to "old"
servers by default, but if client certificate authentication is
requested by the application, it will tear down the connection if the
server doesn't support safe-renegotiation?

My impression is that client certificate authentication is still not
that widely used by applications.

This way, we'll be 100% secure but still work in the majority of cases.
People using client certificate authentication will not be able to talk
with old servers, but that is what they should get.

/Simon
reply via email to
[Prev in Thread] Current Thread [Next in Thread]