On Wed, Sep 19, 2012 at 1:57 PM, Janusz Dziemidowicz rraptorr@nails.eu.org wrote:
2012/9/18 Henrik Riomar henrik.riomar@gmail.com:
On Wed, Jun 27, 2012 at 11:42 PM, Janusz Dziemidowicz rraptorr@nails.eu.org wrote:
Hi,
The approach is based on what is being done in Apache. The default is to allow renegotation, so there should be no surprises for anyone after upgrade. Patch applies on latest (4.54b4) stunnel beta. Feel free to comment:)
sorry for not noticing this patch earlier, what is the best way the test the effects of this patch. i.e. what test client did you use?
You can use gnutls-cli: gnutls-cli --insecure --port 8443 localhost -e or s_client from stunnel: openssl s_client -host localhost -port 8443 -tls1 With s_client, you have to input R and press Enter, it will try to renegotiate then (awesome hack). Also, note that s_client has problems while renegotiating with TLS1.2 (that's why I've added -tls1 option).
OK, I tried with gnutls-cli-debug -p 1443 127.0.0.1
...snip... Checking for Safe renegotiation support... yes Checking for Safe renegotiation support (SCSV)... yes ...snip...
The above is towards a build of stunnel-4.54b8.tar.gz with "renegotiation = no" in the config.