From owner-freebsd-security@FreeBSD.ORG Fri Dec 11 11:14:06 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D62D2106566B for ; Fri, 11 Dec 2009 11:14:06 +0000 (UTC) (envelope-from mdounin@mdounin.ru) Received: from mdounin.cust.ramtel.ru (mdounin.cust.ramtel.ru [81.19.69.81]) by mx1.freebsd.org (Postfix) with ESMTP id 90C938FC12 for ; Fri, 11 Dec 2009 11:14:06 +0000 (UTC) Received: from mdounin.ru (mdounin.cust.ramtel.ru [81.19.69.81]) by mdounin.cust.ramtel.ru (Postfix) with ESMTP id 2C0CE1702B; Fri, 11 Dec 2009 14:14:05 +0300 (MSK) Date: Fri, 11 Dec 2009 14:14:05 +0300 From: Maxim Dounin To: Chris Palmer Message-ID: <20091211111404.GD33752@mdounin.ru> References: <4B20D86B.7080800@default.rs> <86my1rm4ic.fsf@ds4.des.no> <4B20E812.508@default.rs> <4B2101D8.7010201@obluda.cz> <86hbrylvyw.fsf@ds4.des.no> <20091210183718.GA37642@noncombatant.org> <20091210190024.GC33752@mdounin.ru> <20091210194632.GA38011@noncombatant.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20091210194632.GA38011@noncombatant.org> User-Agent: Mutt/1.5.20 (2009-06-14) Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:15.ssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2009 11:14:06 -0000 Hello! On Thu, Dec 10, 2009 at 11:46:32AM -0800, Chris Palmer wrote: > Maxim Dounin writes: > > > It's not true. Patch (as well as OpenSSL 0.9.8l) breaks only apps that do > > not request client certs in initial handshake, but instead do it via > > renegotiation. It's not really commonly used feature. > > The ideal case is not the typical case: > > http://extendedsubset.com/Renegotiating_TLS_pd.pdf > > The plain fact is that client cert auth often needs reneg in apps as > deployed in the world. Often, web servers need to check (for example) a > virtual-host-specific configuration before realizing they need to request > client cert auth. While talking about "often" - do you have any stats? Anyway, this is quite a differenet from "all client cert-powered apps" you stated in your previous message. I'm not trying to say this patch doesn't break anything. It does, and most common case is probably Apache with per-location client cert configs. But: - it's not all apps with client certs which are broken, just a [relatively small as far as I know] share of them; - not patching is not an option as it leaves unsecure much more installations. Maxim Dounin