Gnutls and secure renegotiation / CVE-2009-3555 / RFC 5746

[Stefan Fritsch]

Hi gnutls maintainers,

we are currently working on an upgrade for openssl and nss in lenny to 
support secure renegotiation. Do you have some plan/idea how to deal 
with Gnutls?

Do you know any server or client software using gnutls in Debian that 
supports session renegotiation? As a client I have tried libcurl-
gnutls via pycurl but I couldn't get client cert authentication with 
renegotiation to work. As a server, I think apache/mod_gnutls should 
work, but I haven't tried that yet.

Given that browser vendors are very likely to lock out non-RFC5746-
conforming servers during the livetime of squeeze, we need at least 
support in squeeze. But if it's not too difficult, I would like to see 
support in lenny, too.

As an additional data point, the default configuration of 
apache/mod_ssl with a recent openssl is to deny renegotiation for 
clients that do not support RFC5746.

Any thoughts?

Cheers,
Stefan