On 25.03.2010 00:20, William A. Rowe Jr. wrote:
On 3/24/2010 5:51 PM, Rainer Jung wrote:
The server only needs server initiated renegotiations.
As repeated several times, there are apparently micro SSL implementations
out there in the wild, e.g. cell phone browsers, who choose to renegotiate
and - seeing an alert that it is not supported, hum merrily along.
So the 'shut down the connection' flavor of halting server initiated
renegotiation breaks such clients, while the openssl 0.9.8m graceful
handling supports such renegotiation requests with a polite refusal.
With respect to 2.0 the behaviour with the proposed patches should be
identical to 2.2.
Concerning those special SSL clients: I had the impression there is
still not enough facts around even when following the OpenSSL discussion
list. Yes, there are such clients, but we still can't be completely sure
about their interoperability with 0.9.8m.
Regards,
Rainer
