Date: Thu, 10 Dec 2009 11:46:32 -0800 From: Chris Palmer <chris@noncombatant.org> To: Maxim Dounin <mdounin@mdounin.ru>, freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:15.ssl Message-ID: <20091210194632.GA38011@noncombatant.org> In-Reply-To: <20091210190024.GC33752@mdounin.ru> References: <4B20D86B.7080800@default.rs> <86my1rm4ic.fsf@ds4.des.no> <4B20E812.508@default.rs> <4B2101D8.7010201@obluda.cz> <86hbrylvyw.fsf@ds4.des.no> <20091210183718.GA37642@noncombatant.org> <20091210190024.GC33752@mdounin.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Maxim Dounin writes: > It's not true. Patch (as well as OpenSSL 0.9.8l) breaks only apps that do > not request client certs in initial handshake, but instead do it via > renegotiation. It's not really commonly used feature. The ideal case is not the typical case: http://extendedsubset.com/Renegotiating_TLS_pd.pdf The plain fact is that client cert auth often needs reneg in apps as deployed in the world. Often, web servers need to check (for example) a virtual-host-specific configuration before realizing they need to request client cert auth.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091210194632.GA38011>