diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2010-06-01 16:02:34 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2010-06-01 16:10:03 +0200 |
| commit | 9fd9ba397442fa0d593766e1ae396e589abf4c41 (patch) | |
| tree | 210e27f0af33a300d7e785b61a3542f17f3c9e48 /doc/gnutls.texi | |
| parent | 41b98c63e0656b4f74b42b13800426183a62d1ac (diff) | |
| download | gnutls-9fd9ba397442fa0d593766e1ae396e589abf4c41.tar.gz | |
Splitted safe renegotiation capabilities to
%SAFE_RENEGOTIATION: will enable safe renegotiation. This is the most
secure and recommended option for clients. However this will prevent from
connecting to legacy servers.
%PARTIAL_RENEGOTIATION: Prevents renegotiation with clients and servers not
supporting the safe renegotiation extension. (this is the default)
%UNSAFE_RENEGOTIATION: Permits (re-)handshakes even unsafe ones.
Diffstat (limited to 'doc/gnutls.texi')
| -rw-r--r-- | doc/gnutls.texi | 24 |
1 files changed, 11 insertions, 13 deletions
diff --git a/doc/gnutls.texi b/doc/gnutls.texi index daef0ff880..7e4c3ca1a2 100644 --- a/doc/gnutls.texi +++ b/doc/gnutls.texi @@ -1280,7 +1280,6 @@ Note that it is easy to configure clients to always require the safe renegotiation extension from servers (see below on the %SAFE_RENEGOTIATION priority string). - To modify the default behaviour, we have introduced some new priority strings. The priority strings can be used by applications (@pxref{gnutls_priority_set}) and end users (e.g., @code{--priority} @@ -1288,16 +1287,15 @@ parameter to @code{gnutls-cli} and @code{gnutls-serv}). The @code{%UNSAFE_RENEGOTIATION} priority string permits (re-)handshakes even when the safe renegotiation extension was not -negotiated. The @code{%SAFE_RENEGOTIATION} priority string makes -client require the extension for every handshake and servers will refuse -renegotiation without it. - -To enforce your clients to upgrade to a version that supports safe -renegotiation the %INITIAL_SAFE_RENEGOTIATION priority string should -be used at server side. This will deny any (re-)handshakes unless the -client supports the extension. This however will prevent all clients -that do not support the extension from connecting to server, even if -they do not use renegotiation. +negotiated. The default behavior is @code{%PARTIAL_RENEGOTIATION} that will +prevent renegotiation with clients and servers not supporting the +extension. This is secure for servers but leaves clients vulnerable +to some attacks, but this is a tradeoff between security and compatibility +with old servers. The @code{%SAFE_RENEGOTIATION} priority string makes +clients and servers require the extension for every handshake. The latter +is the most secure option for clients, at the cost of not being able +to connect to legacy servers. Servers will also deny clients that +do not support the extension from connecting. It is possible to disable use of the extension completely, in both clients and servers, by using the @code{%DISABLE_SAFE_RENEGOTIATION} @@ -1308,10 +1306,10 @@ The default values if the flags above are not specified are: @table @code @item Server: -%SAFE_RENEGOTIATION +%PARTIAL_RENEGOTIATION @item Client: -%UNSAFE_RENEGOTIATION +%PARTIAL_RENEGOTIATION @end table |