Sophie

Sophie

distrib > Scientific%20Linux > 5x > x86_64 > by-pkgid > 488f7d353752a24f1cc3f6fc2e121835 > files > 16

gnutls-1.4.1-10.el5_9.1.src.rpm

diff -up gnutls-1.4.1/doc/manpages/gnutls_safe_negotiation_set_initial.3.tolerant gnutls-1.4.1/doc/manpages/gnutls_safe_negotiation_set_initial.3
--- gnutls-1.4.1/doc/manpages/gnutls_safe_negotiation_set_initial.3.tolerant	2010-02-19 09:06:48.000000000 +0100
+++ gnutls-1.4.1/doc/manpages/gnutls_safe_negotiation_set_initial.3	2010-03-02 17:19:49.000000000 +0100
@@ -13,10 +13,13 @@ is a \fBgnutls_session_t\fP structure.
 0 to disable and 1 to enable
 .SH "DESCRIPTION"
 Used to enable and disable initial safe renegotiation for the current
-session. By default it is allowed for a client to not advertise safe
-renegotiation capability but there might be cases where signalling
-a client of its insecurity by rejecting session might be beneficial.
-This option has meaning only in server side.
+session. By default it is allowed for a client or server to not advertise
+safe renegotiation capability. Note however that the client can not tell
+whether it is currently under attack or not and so this default will
+be changed for clients as soon as the unsafe servers are not widely
+deployed anymore. There might be also cases where signalling
+a client of its insecurity by rejecting session by the servers might be
+beneficial.
 .SH "REPORTING BUGS"
 Report bugs to <bug-gnutls@gnu.org>.
 GnuTLS home page: http://www.gnu.org/software/gnutls/
diff -up gnutls-1.4.1/lib/gnutls_handshake.c.tolerant gnutls-1.4.1/lib/gnutls_handshake.c
--- gnutls-1.4.1/lib/gnutls_handshake.c.tolerant	2010-03-02 16:28:36.000000000 +0100
+++ gnutls-1.4.1/lib/gnutls_handshake.c	2010-03-02 17:16:06.000000000 +0100
@@ -2197,9 +2197,10 @@ _gnutls_recv_hello (gnutls_session_t ses
 	  return GNUTLS_E_SAFE_RENEGOTIATION_FAILED;
 	}
 
-      /* Clients can't tell if it's an initial negotiation */
-      if (session->internals.initial_negotiation_completed ||
-	  session->security_parameters.entity == GNUTLS_CLIENT)
+      /* Clients can't tell if it's an initial negotiation but we make it tolerant
+         within seen initial negotiation to unsafe servers by default. This default
+         should be changed as soon as unsafe servers are not deployed anymore. */
+      if (session->internals.initial_negotiation_completed)
 	{
 	  if (session->internals.unsafe_renegotiation != 0)
 	    {

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional