diff -up gnutls-1.4.1/doc/manpages/gnutls_safe_negotiation_set_initial.3.tolerant gnutls-1.4.1/doc/manpages/gnutls_safe_negotiation_set_initial.3 --- gnutls-1.4.1/doc/manpages/gnutls_safe_negotiation_set_initial.3.tolerant 2010-02-19 09:06:48.000000000 +0100 +++ gnutls-1.4.1/doc/manpages/gnutls_safe_negotiation_set_initial.3 2010-03-02 17:19:49.000000000 +0100 @@ -13,10 +13,13 @@ is a \fBgnutls_session_t\fP structure. 0 to disable and 1 to enable .SH "DESCRIPTION" Used to enable and disable initial safe renegotiation for the current -session. By default it is allowed for a client to not advertise safe -renegotiation capability but there might be cases where signalling -a client of its insecurity by rejecting session might be beneficial. -This option has meaning only in server side. +session. By default it is allowed for a client or server to not advertise +safe renegotiation capability. Note however that the client can not tell +whether it is currently under attack or not and so this default will +be changed for clients as soon as the unsafe servers are not widely +deployed anymore. There might be also cases where signalling +a client of its insecurity by rejecting session by the servers might be +beneficial. .SH "REPORTING BUGS" Report bugs to <bug-gnutls@gnu.org>. GnuTLS home page: http://www.gnu.org/software/gnutls/ diff -up gnutls-1.4.1/lib/gnutls_handshake.c.tolerant gnutls-1.4.1/lib/gnutls_handshake.c --- gnutls-1.4.1/lib/gnutls_handshake.c.tolerant 2010-03-02 16:28:36.000000000 +0100 +++ gnutls-1.4.1/lib/gnutls_handshake.c 2010-03-02 17:16:06.000000000 +0100 @@ -2197,9 +2197,10 @@ _gnutls_recv_hello (gnutls_session_t ses return GNUTLS_E_SAFE_RENEGOTIATION_FAILED; } - /* Clients can't tell if it's an initial negotiation */ - if (session->internals.initial_negotiation_completed || - session->security_parameters.entity == GNUTLS_CLIENT) + /* Clients can't tell if it's an initial negotiation but we make it tolerant + within seen initial negotiation to unsafe servers by default. This default + should be changed as soon as unsafe servers are not deployed anymore. */ + if (session->internals.initial_negotiation_completed) { if (session->internals.unsafe_renegotiation != 0) {