diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2010-02-12 21:59:57 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2010-02-12 21:59:57 +0000 |
commit | 81d87a2a28df15bcb35295f98a0b06170895536f (patch) | |
tree | 0621bcf3e369a9f5d5ddfd11d939440f34f13cbb /CHANGES | |
parent | 7366f0b304ed9036c3af782b987260cced421170 (diff) |
update references to new RI RFC
Diffstat (limited to 'CHANGES')
-rw-r--r-- | CHANGES | 23 |
1 files changed, 11 insertions, 12 deletions
@@ -880,14 +880,14 @@ [Steve Henson] *) If client attempts to renegotiate and doesn't support RI respond with - a no_renegotiation alert as required by draft-ietf-tls-renegotiation. - Some renegotiating TLS clients will continue a connection gracefully - when they receive the alert. Unfortunately OpenSSL mishandled - this alert and would hang waiting for a server hello which it will never - receive. Now we treat a received no_renegotiation alert as a fatal - error. This is because applications requesting a renegotiation might well - expect it to succeed and would have no code in place to handle the server - denying it so the only safe thing to do is to terminate the connection. + a no_renegotiation alert as required by RFC5746. Some renegotiating + TLS clients will continue a connection gracefully when they receive + the alert. Unfortunately OpenSSL mishandled this alert and would hang + waiting for a server hello which it will never receive. Now we treat a + received no_renegotiation alert as a fatal error. This is because + applications requesting a renegotiation might well expect it to succeed + and would have no code in place to handle the server denying it so the + only safe thing to do is to terminate the connection. [Steve Henson] *) Add ctrl macro SSL_get_secure_renegotiation_support() which returns 1 if @@ -899,10 +899,9 @@ the updated NID creation version. This should correctly handle UTF8. [Steve Henson] - *) Implement draft-ietf-tls-renegotiation-03. Re-enable - renegotiation but require the extension as needed. Unfortunately, - SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION turns out to be a - bad idea. It has been replaced by + *) Implement RFC5746. Re-enable renegotiation but require the extension + as needed. Unfortunately, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION + turns out to be a bad idea. It has been replaced by SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with SSL_CTX_set_options(). This is really not recommended unless you know what you are doing. |