(gnutls_priority_set) and end users (e.g., `--priority' parameter to
`gnutls-cli' and `gnutls-serv').
-The `%UNSAFE_RENEGOTIATION' priority string requests what is today the
+The `%PARTIAL_RENEGOTIATION' priority string requests what is today the
default behaviour, i.e., that handshakes without the safe renegotiation
extension is permitted. To make more use of the extension, you may
provide the `%SAFE_RENEGOTIATION' priority string. In this mode,
-clients will require that the server supports the extension for the
-initial handshake, and servers will require that the client supports
-the extension for renegotiated handshakes. If you want to make a
-server refuse even initial handshakes without the safe renegotiation
-extension, use the `%INITIAL_SAFE_RENEGOTIATION' priority string. It
-is possible to disable use of the extension completely by using the
+clients and servers will require that the peer supports the extension for
+the initial handshakes. To allow unsafe rengotiation the
+`%UNSAFE_RENEGOTIATION' priority string is available. This will send
+the extension if supported by peer but will never mandate it.
+It is possible to disable use of the extension completely by using the
`%DISABLE_SAFE_RENEGOTIATION' priority string however this is
recommended against except for debugging.
renegotiation extension from servers (see below on the
%SAFE_RENEGOTIATION priority string).
-
To modify the default behaviour, we have introduced some new priority
strings. The priority strings can be used by applications
(@pxref{gnutls_priority_set}) and end users (e.g., @code{--priority}
The @code{%UNSAFE_RENEGOTIATION} priority string permits
(re-)handshakes even when the safe renegotiation extension was not
-negotiated. The @code{%SAFE_RENEGOTIATION} priority string makes
-client require the extension for every handshake and servers will refuse
-renegotiation without it.
-
-To enforce your clients to upgrade to a version that supports safe
-renegotiation the %INITIAL_SAFE_RENEGOTIATION priority string should
-be used at server side. This will deny any (re-)handshakes unless the
-client supports the extension. This however will prevent all clients
-that do not support the extension from connecting to server, even if
-they do not use renegotiation.
+negotiated. The default behavior is @code{%PARTIAL_RENEGOTIATION} that will
+prevent renegotiation with clients and servers not supporting the
+extension. This is secure for servers but leaves clients vulnerable
+to some attacks, but this is a tradeoff between security and compatibility
+with old servers. The @code{%SAFE_RENEGOTIATION} priority string makes
+clients and servers require the extension for every handshake. The latter
+is the most secure option for clients, at the cost of not being able
+to connect to legacy servers. Servers will also deny clients that
+do not support the extension from connecting.
It is possible to disable use of the extension completely, in both
clients and servers, by using the @code{%DISABLE_SAFE_RENEGOTIATION}
@table @code
@item Server:
-%SAFE_RENEGOTIATION
+%PARTIAL_RENEGOTIATION
@item Client:
-%UNSAFE_RENEGOTIATION
+%PARTIAL_RENEGOTIATION
@end table
"%SSL3_RECORD_VERSION" force SSL3.0 record version in the first client
hello. This is to avoid buggy servers from terminating connection.
.IP
-"%UNSAFE_RENEGOTIATION" will enable unsafe renegotiation (default)
+"%UNSAFE_RENEGOTIATION" Permits (re-)handshakes even unsafe ones.
.IP
-"%SAFE_RENEGOTIATION" will enable safe renegotiation.
+"%PARTIAL_RENEGOTIATION" Prevents renegotiation with clients and servers not
+supporting the safe renegotiation extension. (default)
+.IP
+"%SAFE_RENEGOTIATION" will enable safe renegotiation. This is the most
+secure and recommended option for clients. However this will prevent from
+connecting to legacy servers.
.IP
To avoid collisions in order to specify a compression algorithm in
this string you have to prefix it with "COMP-", protocol versions
.IP
"%COMPAT" will enable compatibility features for a server.
.IP
-"%UNSAFE_RENEGOTIATION" will enable unsafe renegotiation (default).
+"%UNSAFE_RENEGOTIATION" Permits (re-)handshakes even unsafe ones.
.IP
-"%SAFE_RENEGOTIATION" will enable safe renegotiation.
+"%PARTIAL_RENEGOTIATION" Prevents renegotiation with clients and servers not
+supporting the safe renegotiation extension. (default)
.IP
-"%INITIAL_SAFE_RENEGOTIATION" will force initial safe negotiation even if
-renegotiation wasn't requested.
+"%SAFE_RENEGOTIATION" will enable safe renegotiation. This is the most
+secure and recommended option for clients. However this will prevent from
+connecting to legacy servers.
.IP
To avoid collisions in order to specify a compression algorithm in
this string you have to prefix it with "COMP-", protocol versions
DECR_LEN (data_size, len + 1 /* count the first byte and payload */ );
- if (session->internals.priorities.disable_safe_renegotiation != 0)
+ if (session->internals.priorities.sr == SR_DISABLED)
{
gnutls_assert ();
return 0;
ssize_t data_size = _data_size;
tls_ext_st *ext = &session->security_parameters.extensions;
- if (session->internals.priorities.disable_safe_renegotiation != 0)
+ if (session->internals.priorities.sr == SR_DISABLED)
{
gnutls_assert ();
return 0;
/* First, check for safe renegotiation SCSV.
*/
- if (session->internals.priorities.disable_safe_renegotiation == 0)
+ if (session->internals.priorities.sr != SR_DISABLED)
{
int offset;
}
}
- if (session->internals.priorities.disable_safe_renegotiation != 0)
+ if (session->internals.priorities.sr == SR_DISABLED)
{
gnutls_assert ();
return ret;
_gnutls_handshake_log ("HSK[%p]: Safe renegotiation succeeded\n",
session);
}
- else /* safe renegotiation not received... */
+ else /* safe renegotiation not received... */
{
if (session->internals.connection_using_safe_renegotiation)
{
}
/* Clients can't tell if it's an initial negotiation */
- if (session->internals.initial_negotiation_completed ||
- session->security_parameters.entity == GNUTLS_CLIENT)
+ if (session->internals.initial_negotiation_completed)
{
- if (session->internals.priorities.unsafe_renegotiation != 0)
+
+ if (session->internals.priorities.sr < SR_PARTIAL)
{
_gnutls_handshake_log
("HSK[%p]: Allowing unsafe (re)negotiation\n", session);
gnutls_assert ();
_gnutls_handshake_log
("HSK[%p]: Denying unsafe (re)negotiation\n", session);
- if (session->security_parameters.entity == GNUTLS_SERVER)
- /* send no renegotiation alert */
- return GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED;
- else
- return GNUTLS_E_SAFE_RENEGOTIATION_FAILED;
+ return GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED;
}
}
else
{
- if (session->internals.priorities.initial_safe_renegotiation == 0)
+ if (session->internals.priorities.sr < SR_SAFE)
{
_gnutls_handshake_log
("HSK[%p]: Allowing unsafe initial negotiation\n", session);
unsigned int algorithms;
} priority_st;
+typedef enum {
+ SR_DISABLED,
+ SR_UNSAFE,
+ SR_PARTIAL,
+ SR_SAFE,
+} safe_renegotiation_t;
+
/* For the external api */
struct gnutls_priority_st
{
/* to disable record padding */
int no_padding:1;
- int unsafe_renegotiation:1;
- int initial_safe_renegotiation:1;
- int disable_safe_renegotiation:1;
- int safe_renegotiation_set:1; /* whether the priority string set any renegotiation parameters */
+ safe_renegotiation_t sr;
int ssl3_record_version;
int additional_verify_flags;
};
memcpy (&session->internals.priorities, priority,
sizeof (struct gnutls_priority_st));
- /* Hack. Because we want to differentiate the behavior of server
- * and client with regards to safe renegotiation. If a server didn't
- * have either SAFE_RENEGOTIATION or UNSAFE_RENEGOTIATION set the
- * safe renegotiation will be the default. This (as well as the
- * safe_renegotiation_set flag) has to be removed once safe
- * renegotiation is default in both server and client side.
- */
- if (session->security_parameters.entity == GNUTLS_SERVER)
- {
- if (session->internals.priorities.safe_renegotiation_set == 0)
- {
- session->internals.priorities.unsafe_renegotiation = 0;
- }
- }
-
/* set the current version to the first in the chain.
* This will be overridden later.
*/
*
* "%COMPAT" will enable compatibility features for a server.
*
+ * "%DISABLE_SAFE_RENEGOTIATION" will disable safe renegotiation completely. Do not use
+ * unless you know what you are doing. Testing purposes only.
+ *
* "%UNSAFE_RENEGOTIATION" will allow unsafe renegotiation (this is now
* the default for clients, but will change once more servers support the safe renegotiation
* TLS fix).
*
- * "%SAFE_RENEGOTIATION" will allow safe renegotiation only (this is the
- * default for servers - that will reject clients trying to perform an
- * unsafe renegotiation).
- *
- * "%INITIAL_SAFE_RENEGOTIATION" will force initial safe negotiation even if
- * renegotiation wasn't requested. Only valid for server side and implies
- * "%SAFE_RENEGOTIATION".
+ * "%PARTIAL_SAFE_RENEGOTIATION" In server side it will enable safe renegotiation
+ * and will protect all clients from known attacks, but will not prevent insecure clients
+ * from connecting. In client side it will disallow from renegotiating with an insecure server
+ * but will not prevent connecting to one (this leaves the client vulnerable to attacks).
*
- * "%DISABLE_SAFE_RENEGOTIATION" will disable safe renegotiation completely. Do not use
- * unless you know what you are doing. Testing purposes only.
+ * "%SAFE_RENEGOTIATION" will enforce safe renegotiation. Clients and Servers will refuse
+ * to talk to an insecure peer.
*
* "%SSL3_RECORD_VERSION" will use SSL3.0 record version in client hello.
*
/* for now unsafe renegotiation is default on everyone. To be removed
* when we make it the default.
*/
- (*priority_cache)->unsafe_renegotiation = 1;
+ (*priority_cache)->sr = SR_PARTIAL;
if (priorities == NULL)
priorities = "NORMAL";
else if (strcasecmp (&broken_list[i][1],
"UNSAFE_RENEGOTIATION") == 0)
{
- (*priority_cache)->unsafe_renegotiation = 1;
- (*priority_cache)->safe_renegotiation_set = 1;
+ (*priority_cache)->sr = SR_UNSAFE;
}
else if (strcasecmp (&broken_list[i][1], "SAFE_RENEGOTIATION") == 0)
{
- (*priority_cache)->unsafe_renegotiation = 0;
- (*priority_cache)->safe_renegotiation_set = 1;
+ (*priority_cache)->sr = SR_SAFE;
}
else if (strcasecmp (&broken_list[i][1],
- "INITIAL_SAFE_RENEGOTIATION") == 0)
+ "PARTIAL_RENEGOTIATION") == 0)
{
- (*priority_cache)->unsafe_renegotiation = 0;
- (*priority_cache)->initial_safe_renegotiation = 1;
- (*priority_cache)->safe_renegotiation_set = 1;
+ (*priority_cache)->sr = SR_PARTIAL;
}
else if (strcasecmp (&broken_list[i][1],
"DISABLE_SAFE_RENEGOTIATION") == 0)
{
- (*priority_cache)->disable_safe_renegotiation = 1;
- (*priority_cache)->safe_renegotiation_set = 1;
+ (*priority_cache)->sr = SR_DISABLED;
}
else
goto error;
/* emulate old gnutls behavior for old applications that do not use the priority_*
* functions.
*/
- (*session)->internals.priorities.unsafe_renegotiation = 1;
+ (*session)->internals.priorities.sr = SR_PARTIAL;
return 0;
}
GNUTLS_X509_FMT_PEM);
gnutls_init (&server, GNUTLS_SERVER);
gnutls_credentials_set (server, GNUTLS_CRD_CERTIFICATE, serverx509cred);
- gnutls_priority_set_direct (server, "NORMAL:%INITIAL_SAFE_RENEGOTIATION",
+ gnutls_priority_set_direct (server, "NORMAL:%SAFE_RENEGOTIATION",
NULL);
gnutls_transport_set_push_function (server, server_push);
gnutls_transport_set_pull_function (server, server_pull);
}
while (
/* Not done: */
- !(cret == GNUTLS_E_AGAIN
- && sret == GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED)
+ !(sret == GNUTLS_E_AGAIN
+ && cret == GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED)
/* No error: */
&& (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN));
- if (cret != GNUTLS_E_AGAIN && sret != GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED)
+ if (sret != GNUTLS_E_AGAIN && cret != GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED)
exit_code = 1;
if (gnutls_safe_renegotiation_status (client) ||
echo "Checking Safe renegotiation"
-$SERV -p $PORT --echo --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION --dhparams $srcdir/params.dh >/dev/null 2>&1 &
+$SERV -p $PORT --echo --priority NORMAL:+ANON-DH:%PARTIAL_RENEGOTIATION --dhparams $srcdir/params.dh >/dev/null 2>&1 &
pid=$!
# give the server a chance to initialize
kill $pid
wait
-$SERV -p $PORT --echo --priority NORMAL:+ANON-DH:%INITIAL_SAFE_RENEGOTIATION --dhparams $srcdir/params.dh >/dev/null 2>&1 &
+$SERV -p $PORT --echo --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION --dhparams $srcdir/params.dh >/dev/null 2>&1 &
pid=$!
# give the server a chance to initialize