Juniper SSL VPN login fails

Nikos Mavrogiannopoulos nmav at
Tue Apr 14 05:07:21 PDT 2015

On Mon, 2015-04-13 at 17:38 -0400, Tom Metro wrote:

> > ...actually the OpenSSL build seems to renegotiate all by itself
> > without requiring the application to do anything.
> My expectations are that an SSL library would provide hooks, in case you
> want to do something custom, but by default handle this internally. I
> guess the GnuTLS developers disagree.

Indeed. Re-authentication cannot happen transparently in an application,
i.e., suddenly the server or client change identity and no-one is
notified. The fact that gnutls insists on explicit re-authentication by
the application, protected applications from attacks like the triple
handshake attack and the other re-handshake-based attacks on TLS.


More information about the openconnect-devel mailing list