small fixes
David Woodhouse
dwmw2 at infradead.org
Mon Oct 27 03:53:36 PDT 2014
On Mon, 2014-10-27 at 10:52 +0100, Nikos Mavrogiannopoulos wrote:
> By reading gnutls.c I have the following fixes. A question is, whether
> the DISABLE_SAFE_RENEGOTIATION flag is intentional. I see that I
> copied that to ocserv, but as far as I know this has no
> interoperability issues, and using it, makes known attacks apply to
> openconnect.
It *was* intentional, I believe. There were firewalls which appeared to
be rejecting our ClientHello if we tried *any* extensions, and Cisco
showed no sign of actually supporting safe renegotiation anyway. At the
time of commit 91867b12 I think I may even have remembered where one of
them was and been able to test! :)
The situation has changed since then, though. AIUI we think we have a
handle on the offending firewalls and can use extensions *anyway* with
appropriate padding to avoid 'bad' packet sizes, and ∃ ocserv which
*can* do safe renegotiation.
So perhaps we can enable it again. But is there any reason for doing
renegotiation in the CSTP protocol, whether safe or otherwise?
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20141027/9543ed5b/attachment-0001.bin>
More information about the openconnect-devel
mailing list