Bug#528661: fixed in upstream ELinks 0.12pre4
Simon Josefsson
simon at josefsson.org
Mon Jun 1 08:57:13 UTC 2009
Kalle Olavi Niemitalo <kon at iki.fi> writes:
> * Debian bug 528661: If using GNUTLS 2.1.7 or later, disable various
> TLS extensions (including CERT and SERVERNAME) to help handshaking
> with the SSLv3-only bugzilla.novell.com.
Disabling the SERVERNAME extension seems like a bad idea -- I believe
Mozilla (and IE on Vista) enables it by default, and some sites may be
using that to provide HTTPS virtual hosting.
On the other hand, the elinks code used to send "localhost" as the SNI,
which is even worse than not using the extension at all. So if you
cannot send the proper server name (as entered by the user or from a
HREF tag), it is better to disable the extension (as you have done).
The best is to use the SERVERNAME extension and send the expected
hostname, though.
The problem with bugzilla.novell.com was that it didn't like TLSv1.1.
It didn't have a problem with TLSv1.0 + extensions. (However, there may
be _other_ servers out there that cannot handle TLS extensions...)
/Simon
More information about the Pkg-gnutls-maint
mailing list