As you may have heard, people how found out how to attack TLS as used in many application protocols. For more info see:
http://www.ietf.org/id/draft-rescorla-tls-renegotiation-00.txt http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html http://extendedsubset.com/ http://www.imperialviolet.org/2009/11/05/tls-reneg.html It is important to understand that you are not vulnerable unless you use renegotiation, which is not typical. If you use renegotiation, perhaps to request client certificates in a web server, the simplest "fix" is to disable any use of renegotiation. You don't need to do this if your application protocol is robust -- for example XMPP/Jabber appears to be robust against the problem. HTTPS is not robust. There is work ongoing to specify a new extension to make TLS renegotiation safe against this attack, and hopefully GnuTLS will support it soon. Patches have been published in http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3944 but not yet tested or verified, and the IETF/IANA has not allocated a TLS extension number for it yet either. /Simon _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
