Gnutls and secure renegotiation / CVE-2009-3555 / RFC 5746

Simon Josefsson simon at josefsson.org
Tue Dec 7 08:10:23 UTC 2010


Stefan Fritsch <sf at sfritsch.de> writes:

> Putting debian-release on cc, they may want to comment.
>
> On Monday 06 December 2010, Andreas Metzler wrote:
>> On 2010-12-05 Stefan Fritsch <sf at sfritsch.de> wrote:
>> > we are currently working on an upgrade for openssl and nss in
>> > lenny to support secure renegotiation. Do you have some
>> > plan/idea how to deal with Gnutls?
>> > 
>> > Do you know any server or client software using gnutls in Debian
>> > that supports session renegotiation? As a client I have tried
>> > libcurl-gnutls via pycurl but I couldn't get client cert
>> > authentication with renegotiation to work.
>> 
>> Could you retry with gnutls 2.10.x?
>
> Will do when I have time, but I suspect the problem is in libcurl. 
> AFAIK, gnutls consumers need to have special support for 
> renegotiation.

I searched for clients that supports renegotiation, and I think the only
client with proper renegotiation support is gnutls-cli.  Curl doesn't
have it, or at least it didn't when I looked.

> But Suse has released updates for 2.4.1 and 2.8.6 [2]. I have put the 
> extracted source rpms at [3]. The patches are huge but 80% seem to be 
> the test suite. [3] contains two versions of each, the older one is 
> the released package and the newer one is unreleased but has 
> additional fixes.
>
> My current feeling is that we will just skip gnutls for the first 
> round of Lenny-DSAs that add RFC5746 support. We can reconsider later 
> if it causes many problems for users. Therefore patching squeeze has 
> definitely higher priority. If you have time, it would be great if you 
> could look at the patches.

If back-ported patches are contributed back upstream (this is the first
time I heard about Suse's work) we can do an semi-official release for
2.8.x with the renegotiation support.  However I don't have any free
time to do serious checking of the old 2.8.x branch, so it will be all
up to whoever does the work here to make sure it is working correctly.

/Simon



More information about the Pkg-gnutls-maint mailing list