On Mon, Oct 27, 2014 at 11:53 AM, David Woodhouse <dwmw2 at infradead.org> wrote: > It *was* intentional, I believe. There were firewalls which appeared to > be rejecting our ClientHello if we tried *any* extensions, and Cisco > showed no sign of actually supporting safe renegotiation anyway. At the > time of commit 91867b12 I think I may even have remembered where one of > them was and been able to test! :) > The situation has changed since then, though. AIUI we think we have a > handle on the offending firewalls and can use extensions *anyway* with > appropriate padding to avoid 'bad' packet sizes, and ? ocserv which > *can* do safe renegotiation. > So perhaps we can enable it again. But is there any reason for doing > renegotiation in the CSTP protocol, whether safe or otherwise? Renegotiation prevents tearing the connection down and setting up again. That is no downtime, except for a small delay during renegotiation. regards, Nikos
