> On 7 Jun 2017, at 14:29, Victor Stinner <victor.stinner at gmail.com> wrote: > > 2017-06-07 10:56 GMT+02:00 Nathaniel Smith <njs at pobox.com>: >> Another testing challenge is that the stdlib ssl module has no way to >> trigger a renegotiation, and therefore there's no way to write tests >> to check that it properly handles a renegotiation, even though >> renegotiation is by far the trickiest part of the protocol to get >> right. (In particular, renegotiation is the only case where attempting >> to read can give WantWrite and vice-versa.) > > Renegociation was the source of a vulnerability in SSL/TLS protocols, > so maybe it's a good thing that it's not implemented :-) > https://www.rapid7.com/db/vulnerabilities/tls-sess-renegotiation > > Renegociation was removed from the new TLS 1.3 protocol: > https://tlswg.github.io/tls13-spec/ > "TLS 1.3 forbids renegotiation" Renegotiation remains extremely widely deployed with TLS client certificates in enterprise environments, sadly. Cory
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4