From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.2 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED
	autolearn=no autolearn_force=no version=3.4.4
Received: (qmail 26840 invoked from network); 18 Jan 2023 15:09:03 -0000
Received: from 9front.inri.net (168.235.81.73)
  by inbox.vuxu.org with ESMTPUTF8; 18 Jan 2023 15:09:03 -0000
Received: from sendmail.purelymail.com ([34.202.193.197]) by 9front; Wed Jan 18 10:07:42 -0500 2023
DKIM-Signature: a=rsa-sha256; b=cPx5ynp48zpeC+09Vr99ANEmG0BOMs/dtQI27OIk6Ys5R/pGiyy+uWlCQLmbrBBoHKrfqsNSTQF+tRpJofYKOwPhnmf0TOFJbmRUxHQrv4hJ6ct1pjJM1Bf1eIb/c5k5vjdCwkieJadSXGzuWvI/Q3tCo9Lc/Lnun8837hJINpa13N8c1WwPByL30fGML1QGyQh1sya4IfKM05zFC+8N7yUlECdZMaGNHGrkUTZAB7HRq5F9gVvkOEU5Sf8QH/BAbWXh2+ehu4fUA4K0Yoj4em3PnlRoV5G150bgH73aC1nbVuMDOKNU84KmJgeL7xsDR4h3/JCYIOpc0rsEXWxkwg==; s=purelymail3; d=pbrane.org; v=1; bh=WZLDwjisQ0F+pCydFbyrQ/S3dZHCTv1i2DAoISP+fFk=; h=Received:From:To:Subject;
DKIM-Signature: a=rsa-sha256; b=RtGifIzvBgiLjVX2uuJAnPtBqWPtU3DcPesrbKeo2EUScRgk/OAo1EipCsvYY13bzAVTF/IoSPIIYWx7m2v6FqbojDJJNyeU6/HPRZ41Rbu1tuwLVfXP4VRkfz8PgJSbLJMHAcw5Rfa0XIfXF5S0zl3bKFcVmBcjbXf/FbI6SLw2SQypVjHbYiORWyK3jC1UWEPKPB6OQGyo3ZHoy2uRpxJe9PXZ5IfyhM1jZJBiZmbioLBnLG4z1TJp4JPisSIE1JNLec/pf3qR+JF0ETBrMgfB2j9W1ATUvGZREEs9S1pOIl8SErtHcq8AwOKPIO+VFINRjRhaL+7UfiCGLHyTzA==; s=purelymail3; d=purelymail.com; v=1; bh=WZLDwjisQ0F+pCydFbyrQ/S3dZHCTv1i2DAoISP+fFk=; h=Feedback-ID:Received:From:To:Subject;
Feedback-ID: 10987:2443:null:purelymail
X-Pm-Original-To: 9front@9front.org
Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id -1281021098
          for <9front@9front.org>
          (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384);
          Wed, 18 Jan 2023 15:07:29 +0000 (UTC)
Date: Wed, 18 Jan 2023 07:07:26 -0800
From: Anthony Martin <ality@pbrane.org>
To: 9front@9front.org
Message-ID: <Y8gLLlooTNdcgW3a@alice>
References: <87988F72F1C2D20B16DE8DA47FB8C262@alice>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In-Reply-To: <87988F72F1C2D20B16DE8DA47FB8C262@alice>
X-MIME-Autoconverted: from 8bit to quoted-printable by Purelymail
List-ID: <9front.9front.org>
List-Help: <http://lists.9front.org>
X-Glyph: ➈
X-Bullshit: strategy-scale WEB2.0 factory DOM component-scale database generator 
Subject: [9front] Re: [PATCH] libsec: add minimal support for the tls renegotiation
 extension
Reply-To: 9front@9front.org
Precedence: bulk

Anthony Martin <ality@pbrane.org> once said:
> OpenSSL 3.0 clients refuse to connect to servers that do not
> support the renegotiation extension (RFC 5746) unless the default
> configuration is changed to allow it. Since we do not support
> renegotiation, we only need to make minor changes to the initial
> handshake to comply with the specification:
>
> 1. For tlsClient, simply add the proper SCSV to the ClientHello
> cipher list (cf. RFC 5746 =C2=A7 3.3);
>
> 2. For tlsServer, respond with an empty renegotiation extension
> in the ServerHello if we received either the SCSV or an empty
> renegotiation extension in the ClientHello.
>
> Since we close the hand file and never open it after the initial
> handshake, we can rely on tls(3) to send the "no renegotiation"
> alerts if subsequent handshake records are received.
>
> [...]

Ping.

Thanks,
  Anthony