Daniel Kahn Gillmor <[email protected]> writes: > But any popular TLS client implementation also plays a role in spurring > adoption of safe-reneg among servers by its choice of enforcement (and > warning messages, etc). I'd like to see GnuTLS contribute to the "peer > pressure" here in some positive way. i'm not saying that > default-fail-closed is necessarily the best way to do that, but an > entirely lenient policy is pretty weak on the peer pressure side and > doesn't contribute to the overall security of network communications in > general.
I agree. So, we could release an experimental version where clients required safe renegotiation, get it into various distributions, and try applications that use GnuTLS to see if they work or not? The important part is likely how well applications support priority strings for easy user fall backs. How well error reporting works is also important. Maybe our energy is better spent helping application writers here... I'll do some experiments with 2.9.10 on my machine... maybe best to get a release out first though. /Simon _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
