3.5. TLS Renegotiation

Where handshake renegotiation is implemented, both clients and servers MUST implement the renegotiation_info extension, as defined in [RFC5746].

The most secure option for countering the Triple Handshake attack is to refuse any change of certificates during renegotiation. In addition, TLS clients SHOULD apply the same validation policy for all certificates received over a connection. The [triple-handshake] document suggests several other possible countermeasures, such as binding the master secret to the full handshake (see [SESSION-HASH]) and binding the abbreviated session resumption handshake to the original full handshake. Although the latter two techniques are still under development and thus do not qualify as current practices, those who implement and deploy TLS are advised to watch for further development of appropriate countermeasures.