Juniper SSL VPN login fails
Nikos Mavrogiannopoulos
nmav at gnutls.org
Tue Apr 14 05:07:21 PDT 2015
On Mon, 2015-04-13 at 17:38 -0400, Tom Metro wrote:
> > ...actually the OpenSSL build seems to renegotiate all by itself
> > without requiring the application to do anything.
> My expectations are that an SSL library would provide hooks, in case you
> want to do something custom, but by default handle this internally. I
> guess the GnuTLS developers disagree.
Indeed. Re-authentication cannot happen transparently in an application,
i.e., suddenly the server or client change identity and no-one is
notified. The fact that gnutls insists on explicit re-authentication by
the application, protected applications from attacks like the triple
handshake attack and the other re-handshake-based attacks on TLS.
regards,
Nikos
More information about the openconnect-devel
mailing list