Thor Lancelot Simon wrote:
I think it's a mistake to send a fatal alert. In the past week as I've
been experimenting with this, I've encountered a number of embedded
client devices (cellphones -- I suspect I know which stack they're using
but I'm not certain, so I won't identify the vendor here) which do periodic
renegotiations and can't be configured not to. I hacked up no-renegotiation
alert for a somewhat simpler TLS implementation since I kept tripping over
myself trying to do it with OpenSSL. The result was that these clients
could maintain connections -- they ignore the failed renegotiation.
With OpenSSL, these clients simply lose their connection and don't
display pages. I think this is wrong.
I support wholly this description of the situation.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
