Countermeasure against "triple handshake" attack

commit: 796c6f3affe9fc204665701abe7d0b246d7a854d [log] [tgz]
author: Manuel Pégourié-Gonnard <mpg@elzevir.fr> Mon Mar 10 09:34:49 2014 +0100
committer: Manuel Pégourié-Gonnard <mpg@elzevir.fr> Thu Mar 13 19:25:06 2014 +0100
tree: bc5acaa0b186c236b45a4a74849513f7f9d11f6c
parent: fdf3f0e671e13b63c3d35c032aaf61d38b351283 [diff] [blame]
diff --git a/ChangeLog b/ChangeLog
index df0ef77..f131280 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -14,6 +14,11 @@
    * entropy_add_source(), entropy_update_manual() and entropy_gather()
      now thread-safe if POLARSSL_THREADING_C defined
 
+Security
+   * Forbid change of server certificate during renegotiation to prevent
+     "triple handshake" attack when authentication mode is optional (the
+     attack was already impossible when authentication is required).
+
 Bugfix
    * ecp_gen_keypair() does more tries to prevent failure because of
      statistics
commit	796c6f3affe9fc204665701abe7d0b246d7a854d	[log] [tgz]
author	Manuel Pégourié-Gonnard <mpg@elzevir.fr>	Mon Mar 10 09:34:49 2014 +0100
committer	Manuel Pégourié-Gonnard <mpg@elzevir.fr>	Thu Mar 13 19:25:06 2014 +0100
tree	bc5acaa0b186c236b45a4a74849513f7f9d11f6c
parent	fdf3f0e671e13b63c3d35c032aaf61d38b351283 [diff] [blame]