On Mon, 2014-10-27 at 10:52 +0100, Nikos Mavrogiannopoulos wrote: > By reading gnutls.c I have the following fixes. A question is, whether > the DISABLE_SAFE_RENEGOTIATION flag is intentional. I see that I > copied that to ocserv, but as far as I know this has no > interoperability issues, and using it, makes known attacks apply to > openconnect. It *was* intentional, I believe. There were firewalls which appeared to be rejecting our ClientHello if we tried *any* extensions, and Cisco showed no sign of actually supporting safe renegotiation anyway. At the time of commit 91867b12 I think I may even have remembered where one of them was and been able to test! :) The situation has changed since then, though. AIUI we think we have a handle on the offending firewalls and can use extensions *anyway* with appropriate padding to avoid 'bad' packet sizes, and ? ocserv which *can* do safe renegotiation. So perhaps we can enable it again. But is there any reason for doing renegotiation in the CSTP protocol, whether safe or otherwise? -- dwmw2 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5745 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20141027/9543ed5b/attachment-0001.bin>
