Hi, After reading the documentation: https://wiki.mozilla.org/Security:Renegotiation, I am curious and want to confirm if I understood a couple of facts correctly.
1. At one point it is said in the document that: Unfortunately, when a server is using the vulnerable SSL/TLS protocol version, it is impossible for the browser to know whether a site is protected or vulnerable (i.e whether session renegotiation is enabled or disabled on the server). So does this mean that when the server is using older SSL/TLS protocol version, whether server has Renegotiation set to On or Off can not be detected by browsers? 2. security.ssl.treat_unsafe_ negotiation_as_broken: This option is used to know whether RFC 5746 is followed by current protocol. So if we see error (<domain> : server does not support RFC 5746, see CVE-2009-3555) in the error log then we are sure that server is using older SSL/TLS protocol but we will not be sure if renegotiation is set to on or off. Is this correct? Though it is recommended to upgrade to latest SSL/TLS protocol, what impact on user experience/security it makes if I set renegotiation set to Off on server side and continue using old protocol? Please let me know if I have misunderstood anything. If already discussed somewhere can you please point me to thread? Thanks in advance. -Abhijeet -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
