[botan-devel] insecure renegotiation

Falko Strenzke fstrenzke at cryptosource.de
Sat Jun 3 03:27:56 EDT 2017


I would like to report an observation about Botan's TLS implementation.
I ran the following simple test: Botan's sample client connects to a TLS
1.2 server which does not support secure renegotiation. I added output
of the server's extensions in the hello request for clarity. When the
client requests renegotiation, the following happens:


server_hello extension types:
Certificate validation status: Cannot establish trust
Handshake complete, TLS v1.2 using RSA_WITH_AES_128_CBC_SHA
Session ID 554ECECB8546861C826DCB4F26D3439A67274ECC9414D9FFC3C21E658D9A5003
Client initiated renegotiation
server_hello extension types:
Error: Server changed its mind about secure renegotiation

The client incorrectly seems to believe the server supports secure
renegotiation. This seems to err on the side of security, however.



cryptosource logo

Dr. Falko Strenzke
Geschäftsführer /
Managing Director

	cryptosource GmbH
Pallaswiesenstr. 182
64293 Darmstadt
Tel.: 	+49 (0) 6151 / 86 22 379
Fax.: 	+49 (0) 6151 / 786 65 80
Mobil.: 	+49 (0) 177 / 898 53 28

Email: fstrenzke at cryptosource.de <mailto:fstrenzke at cryptosource.de>
Internet: www.cryptosource.de <http://www.cryptosource.de>
	Geschäftsführer: Dr. Falko Strenzke
Unternehmenssitz: Darmstadt
Registergericht: Amtsgericht Darmstadt
Handelsregister-Nummer: HRB 93037
Umsatzsteuer-ID: DE294145062

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/botan-devel/attachments/20170603/795994fb/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo.jpg
Type: image/jpeg
Size: 9937 bytes
Desc: not available
URL: <http://lists.randombit.net/pipermail/botan-devel/attachments/20170603/795994fb/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2938 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.randombit.net/pipermail/botan-devel/attachments/20170603/795994fb/attachment-0001.p7s>

More information about the botan-devel mailing list