On 11/09/2009 10:19 AM, Simon Josefsson wrote: > It is important to understand that you are not vulnerable unless you use > renegotiation, which is not typical. If you use renegotiation, perhaps > to request client certificates in a web server, the simplest "fix" is to > disable any use of renegotiation.
My understanding is that the published attacks are undetectable from the
client-side without the use of the newly-proposed extension. So barring
that extension, it seems that that the protective workaround you
describe (disabling renegotiation) needs to be done on the server side.
Is there a way that this can be done generically with GnuTLS (e.g. a
priority string, which could conceivably be passed into gnutls by an
administrator without needing a rebuild), or should the server simply
avoid calling gnutls_handshake() more than once per session?
Regards,
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
