Gnutls and secure renegotiation / CVE-2009-3555 / RFC 5746

Stefan Fritsch sf at sfritsch.de
Mon Dec 6 22:04:55 UTC 2010 

Putting debian-release on cc, they may want to comment.

On Monday 06 December 2010, Andreas Metzler wrote:
> On 2010-12-05 Stefan Fritsch <sf at sfritsch.de> wrote:
> > we are currently working on an upgrade for openssl and nss in
> > lenny to support secure renegotiation. Do you have some
> > plan/idea how to deal with Gnutls?
> > 
> > Do you know any server or client software using gnutls in Debian
> > that supports session renegotiation? As a client I have tried
> > libcurl-gnutls via pycurl but I couldn't get client cert
> > authentication with renegotiation to work.
> 
> Could you retry with gnutls 2.10.x?

Will do when I have time, but I suspect the problem is in libcurl. 
AFAIK, gnutls consumers need to have special support for 
renegotiation.

> 
> > As a server, I think apache/mod_gnutls should
> > work, but I haven't tried that yet.
> > 
> > Given that browser vendors are very likely to lock out
> > non-RFC5746- conforming servers during the livetime of squeeze,

I have read a bit more and this may have been overly pessimistic. We 
have received mails from Opera that they will do that next year, but 
other browser vendors will likely be slower. For example, [1] seems to 
indicate that mozilla will only disable legacy _re_negotiation in 3.7, 
which would not be that big a problem. They would completely disable 
negotiation to legacy servers only later (cite: "eventually, if enough 
sites have been upgraded to the new protocol versions").

> > we need at least support in squeeze. But if it's not too
> > difficult, I would like to see support in lenny, too.
> 
> Hello,
> 
> RFC 5746 support was introduced in the development reals 2.9.10, it
> is one of the major selling points of 2.10.x stable release over
> 2.8.x. I was not aware on how important the feature was, otherwise
> I would have tried pushing 2.10.x into squeeze.
> 
> Upstream probably will not backport this for 2.8.x (which is what
> we might end up with in squeeze) or 2.4.x. They have not got an
> abundance of manpower. I am lacking the skills. So I think lenny
> is out of question.
> 
> I can still try to get this into squeeze, if it your best jugdement
> that it is a critical feature. It should not be a very painful
> transition (shlibs bump, but no soname bump).

The release team would probably kill us for just suggesting it :-/

But Suse has released updates for 2.4.1 and 2.8.6 [2]. I have put the 
extracted source rpms at [3]. The patches are huge but 80% seem to be 
the test suite. [3] contains two versions of each, the older one is 
the released package and the newer one is unreleased but has 
additional fixes.

My current feeling is that we will just skip gnutls for the first 
round of Lenny-DSAs that add RFC5746 support. We can reconsider later 
if it causes many problems for users. Therefore patching squeeze has 
definitely higher priority. If you have time, it would be great if you 
could look at the patches.

Cheers,
Stefan

> cu andreas
> 
> http://article.gmane.org/gmane.network.gnutls.general/2046

[1] https://wiki.mozilla.org/Security:Renegotiation
[2] http://lwn.net/Articles/418864/
[3] http://www.sfritsch.de/~stf/suse-gnutls/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20101206/0cdeadbd/attachment.pgp>

More information about the Pkg-gnutls-maint mailing list