[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: safe renegotiation in client side
|
From: |
Simon Josefsson |
|
Subject: |
Re: safe renegotiation in client side |
|
Date: |
Tue, 16 Mar 2010 13:02:48 +0100 |
|
User-agent: |
Gnus/5.110011 (No Gnus v0.11) Emacs/23.1 (gnu/linux) |
Daniel Kahn Gillmor <address@hidden> writes:
> But any popular TLS client implementation also plays a role in spurring
> adoption of safe-reneg among servers by its choice of enforcement (and
> warning messages, etc). I'd like to see GnuTLS contribute to the "peer
> pressure" here in some positive way. i'm not saying that
> default-fail-closed is necessarily the best way to do that, but an
> entirely lenient policy is pretty weak on the peer pressure side and
> doesn't contribute to the overall security of network communications in
> general.
I agree. So, we could release an experimental version where clients
required safe renegotiation, get it into various distributions, and try
applications that use GnuTLS to see if they work or not?
The important part is likely how well applications support priority
strings for easy user fall backs. How well error reporting works is
also important. Maybe our energy is better spent helping application
writers here...
I'll do some experiments with 2.9.10 on my machine... maybe best to get
a release out first though.
/Simon
Re: safe renegotiation in client side, Simon Josefsson, 2010/03/15