When "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref" is off, Firefox will refuse to perform a server-initiated renegotiation with a non-RFC-5746 server. What is the purpose of this behavior? It doesn't mitigate the vulnerability because in the attack scenario, the client believes it is performing an initial negotiation. If it is just intended to throw a roadblock into the use of vulnerable servers to force them to upgrade, I think that's inappropriate and would rather rely on a UI warning (bug 535649) as the sole means of evangelization for RFC 5746.
-- Matt -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto