-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dtls.c: force_renegotiation_info is always set #219
Comments
Just in the case, someone really wants to support "non RFC5746" peers: Tinydtls uses the |
I had latched on to renegotiation being dropped for TLS1.3 and did not think this properly through. I have found that I need to call a function in wolfSSL to make things work as expected when talking to TinyDTLS. |
Thanks for clarifying. The pain of the protection against renegotiation attacks is, that is required (at least considered to be required) to use the extension even if renegotiation isn't supported. Therefore it's enabled by default, but may be switched off, if required and the trade offs are clear. |
If a DTLS client talks to a TinyDTLS server, but does not send any renegotiation information (i.e. no
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
) in theClientHello
, then when the server callsdtls_check_tls_extension()
, this returns an error.Found when running a client using wolfSSL.
Any reason why
force_renegotiation_info
should be set for a server?The text was updated successfully, but these errors were encountered: