[Steve Henson]
*) If client attempts to renegotiate and doesn't support RI respond with
- a no_renegotiation alert as required by draft-ietf-tls-renegotiation.
- Some renegotiating TLS clients will continue a connection gracefully
- when they receive the alert. Unfortunately OpenSSL mishandled
- this alert and would hang waiting for a server hello which it will never
- receive. Now we treat a received no_renegotiation alert as a fatal
- error. This is because applications requesting a renegotiation might well
- expect it to succeed and would have no code in place to handle the server
- denying it so the only safe thing to do is to terminate the connection.
+ a no_renegotiation alert as required by RFC5746. Some renegotiating
+ TLS clients will continue a connection gracefully when they receive
+ the alert. Unfortunately OpenSSL mishandled this alert and would hang
+ waiting for a server hello which it will never receive. Now we treat a
+ received no_renegotiation alert as a fatal error. This is because
+ applications requesting a renegotiation might well expect it to succeed
+ and would have no code in place to handle the server denying it so the
+ only safe thing to do is to terminate the connection.
[Steve Henson]
*) Add ctrl macro SSL_get_secure_renegotiation_support() which returns 1 if
the updated NID creation version. This should correctly handle UTF8.
[Steve Henson]
- *) Implement draft-ietf-tls-renegotiation-03. Re-enable
- renegotiation but require the extension as needed. Unfortunately,
- SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION turns out to be a
- bad idea. It has been replaced by
+ *) Implement RFC5746. Re-enable renegotiation but require the extension
+ as needed. Unfortunately, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
+ turns out to be a bad idea. It has been replaced by
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with
SSL_CTX_set_options(). This is really not recommended unless you
know what you are doing.
Major changes between OpenSSL 0.9.8l and OpenSSL 1.0:
- o Support for draft-ietf-tls-renegotiation-03.txt
+ o Support for RFC5746 TLS renegotiation extension.
o RFC3280 path validation: sufficient to process PKITS tests.
o Integrated support for PVK files and keyblobs.
o Change default private key format to PKCS#8.
=head1 SECURE RENEGOTIATION
OpenSSL 0.9.8m and later always attempts to use secure renegotiation as
-described in draft-ietf-tls-renegotiation (FIXME: replace by RFC). This
-counters the prefix attack described in CVE-2009-3555 and elsewhere.
+described in RFC5746. This counters the prefix attack described in
+CVE-2009-3555 and elsewhere.
The deprecated and highly broken SSLv2 protocol does not support secure
renegotiation at all: its use is B<strongly> discouraged.