Re: CVE-2009-3555 not addressed in OpenSSL
Marsh Ray <firstname.lastname@example.org> writes:
> On 10/21/2010 06:40 AM, Simon Josefsson wrote:
>> The new API to query whether the extension is negotiated or not is also
>> needed, but that shouldn't cause any problems as far as I can see. A
>> binary using the new API wouldn't work with the original gnutls in
>> stable, though, but I think that is an acceptable price?
> Even if you didn't add the new API, the protocol-level functionality
> would be improved.
> So even if the decision to introduce a new API on an old interface
> represents a trade-off of risk vs functionality, it is not an argument
> against adding protocol support for RFC 5746 (which does not suggest
> the new API is needed for its implementation).
Sure, agreed. I guess the API is mostly useful when testing that the
backport is working properly, and once that has been confirmed, the API
is no longer necessary.
Perhaps the API is not strictly necessary in a backport since it is
probably possible to extract from the debug log whether the extension
was negotiated or not, if some application really wanted to know and be
completely backwards compatible.
OTOH, it is still not clear to me that backporting SRN would really
solve any identifiable vulnerability since GnuTLS renegotiation works
differently than OpenSSL/NSS. So it might be something for a point
update rather than a security update, but I suppose that is up to the
security team to decide.