[axtls-general] axTLS - support for secure renegotiation/RFC5746?
Brought to you by:
cameronrich
From: Chris G. <ch...@se...> - 2014-06-17 23:02:50
|
Hi, I have been using axTLS for a few years on an embedded client (powerpc-linux, typically 32mb RAM) and until recently it has met my needs, but I've run into an interoperability problem. Recently a customer complained that when they disable "insecure renegotiation" but enable "secure renegotiation" on their Microsoft Threat Management Gateway server, my company's client devices are unable to connect. The server admins are claiming the reason for this is axTLS does not support RFC5746 <http://tools.ietf.org/html/rfc5746>. The symptom is that the server closes the connection immediately after client hello. I have found that axTLS does not add the renegotiation_info extension or null cipher suite "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" described in section 3 of RFC5746 <http://tools.ietf.org/html/rfc5746#section-3>. Per my reading of that RFC the server may immediately drop the connection if these are not present, and I think that is what is happening. I suppose I may be the only one to ever run across this. For comparison, recent OpenSSL uses TLS_EMPTY_RENEGOTIATION_INFO_SCSV when forced to use TLS 1.1 and in TLS 1.2 mode it uses the renegotiation_info extension. What do you think would be the best way to correct this? -- Chris Ghormley / Set-Point Control |