Juniper SSL VPN login fails
David Woodhouse
dwmw2 at infradead.org
Tue Apr 14 05:29:10 PDT 2015
On Tue, 2015-04-14 at 15:07 +0300, Nikos Mavrogiannopoulos wrote:
> Indeed. Re-authentication cannot happen transparently in an application,
> i.e., suddenly the server or client change identity and no-one is
> notified. The fact that gnutls insists on explicit re-authentication by
> the application, protected applications from attacks like the triple
> handshake attack and the other re-handshake-based attacks on TLS.
... which is why I need to think hard about the fact that my patch
automatically just *does* the renegotiation whenever it's asked to.
And check it'll do the right thing if the server identity changes, etc.
Currently if we are suddenly offered a different cert we might just
accept it (if it's valid), or maybe even trigger a certificate
validation callback if it's not. We should probably make it accept
*only* the *same* certificate as before.
And might also want to limit the circumstances in which it tolerates
renegotiation at all — only when talking to a Network Connect server,
and only at certain points in the connection.
Not this week though.
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20150414/67b2e160/attachment.bin>
More information about the openconnect-devel
mailing list