Re: CVE-2009-3555 not addressed in OpenSSL
On 10/21/2010 06:40 AM, Simon Josefsson wrote:
The new API to query whether the extension is negotiated or not is also
needed, but that shouldn't cause any problems as far as I can see. A
binary using the new API wouldn't work with the original gnutls in
stable, though, but I think that is an acceptable price?
Even if you didn't add the new API, the protocol-level functionality
would be improved.
So even if the decision to introduce a new API on an old interface
represents a trade-off of risk vs functionality, it is not an argument
against adding protocol support for RFC 5746 (which does not suggest the
new API is needed for its implementation).