Gnutls and secure renegotiation / CVE-2009-3555 / RFC 5746

[Andreas Metzler]

On 2010-12-05 Stefan Fritsch <sf at sfritsch.de> wrote:
> Hi gnutls maintainers,

> we are currently working on an upgrade for openssl and nss in lenny to 
> support secure renegotiation. Do you have some plan/idea how to deal 
> with Gnutls?

> Do you know any server or client software using gnutls in Debian that 
> supports session renegotiation? As a client I have tried libcurl-
> gnutls via pycurl but I couldn't get client cert authentication with 
> renegotiation to work.

Could you retry with gnutls 2.10.x?

> As a server, I think apache/mod_gnutls should 
> work, but I haven't tried that yet.

> Given that browser vendors are very likely to lock out non-RFC5746-
> conforming servers during the livetime of squeeze, we need at least 
> support in squeeze. But if it's not too difficult, I would like to see 
> support in lenny, too.

Hello,

RFC 5746 support was introduced in the development reals 2.9.10, it is
one of the major selling points of 2.10.x stable release over 2.8.x. I
was not aware on how important the feature was, otherwise I would have
tried pushing 2.10.x into squeeze.

Upstream probably will not backport this for 2.8.x (which is what we
might end up with in squeeze) or 2.4.x. They have not got an abundance
of manpower. I am lacking the skills. So I think lenny is out of
question.

I can still try to get this into squeeze, if it your best jugdement
that it is a critical feature. It should not be a very painful
transition (shlibs bump, but no soname bump).

cu andreas

http://article.gmane.org/gmane.network.gnutls.general/2046
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20101206/0da0fec0/attachment.pgp>