> [[email protected] - Wed Nov 18 09:58:08 2009]: > > The TLS client in openssl-1.0.0 branch aborts the connection if > SSL_OP_ALLOW_UNSAFE_RENEGOTIATION (or SSL_OP_ALL) flag is not set by the > calling application and the connected server does not return the > extension in the server hello message. Unfortunately too many > applications do not set SSL_OP_ALL which makes them incompatible with > currently virtually every server as the renegotiation extension > supporting servers are not deployed yet. I propose adding a new flag for > the client which would explicitely disable connection to unsafe servers > and to allow this connection by default. For now in Fedora I am forced > to just disable the client side check. > > See also: https://bugzilla.redhat.com/show_bug.cgi?id=537962 >
Yes we should definitely allow connections (at least in the immediate future) to unpatched servers. We'd need two options for this: one for just clients connections and one to permit legacy renegotiation in general. That does however hit a snag in that OpenSSL 1.0.0 is pretty much out of options fields, and we'll need more in future to support TLS v1.1 for example. We should ideally update the options field so it is split up into several pieces but that might cause binary compatibility problems, not an ideal thing to do during a beta release :-( The problem of adding fields to SSL_CTX and SSL has been mentioned by a number of people before. How bad is that in practice? SSL_CTX and SSL structures are both allocated dynamically so the size change wont matter. The only remaining case is applications that access the fields directly instead of using APIs. We should and will make the SSL and SSL_CTX structures opaque at some point but not during a beta release cycle ;-) Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
