On Tue, 2014-02-18 at 09:09 +0100, Nikos Mavrogiannopoulos wrote: > I've updated that. I've tried to fix the open issues, and make it a bit more > resistant to failures (if DTLS rehandshake it will now reconnect). Hm, remember we don't really do a DTLS handshake at all; we bypass it with a preset master key and session-id, and just do a session resume. Does a re-"handshake" really do anything to change the underlying random numbers and improve security? I know, I *implemented* this session resume in GnuTLS. But I forget the details. Quite deliberately so :) Also, should the CSTP rehandshake method be predicated on secure renegotiation being available? -- dwmw2 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5745 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20140218/e2432d1b/attachment.bin>
