Date: Fri, 11 Dec 2009 10:45:48 -0800 From: Chris Palmer <chris@noncombatant.org> To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:15.ssl Message-ID: <20091211184548.GA46543@noncombatant.org> In-Reply-To: <20091211111404.GD33752@mdounin.ru> References: <4B20D86B.7080800@default.rs> <86my1rm4ic.fsf@ds4.des.no> <4B20E812.508@default.rs> <4B2101D8.7010201@obluda.cz> <86hbrylvyw.fsf@ds4.des.no> <20091210183718.GA37642@noncombatant.org> <20091210190024.GC33752@mdounin.ru> <20091210194632.GA38011@noncombatant.org> <20091211111404.GD33752@mdounin.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Maxim Dounin writes: > While talking about "often" - do you have any stats? Anyway, this is > quite a differenet from "all client cert-powered apps" you stated in your > previous message. IIS defaults to renegotiation when doing client cert auth, and Apache certainly can (possibly must? I don't know) work this way as well. See Ray and Dispensa's original paper. http://extendedsubset.com/Renegotiating_TLS.pdf """In particular, practical attacks against HTTPS client certificate authentication have been demonstrated against recent versions of both Microsoft IIS and Apache httpd on a variety of platforms and in conjunction with a variety of client applications.""" So, sure; "all" is an exaggeration, but it's much less wrong than "rarely used". > - not patching is not an option as it leaves unsecure much more > installations. Patching/not patching is not always a black and white question whose answer is always "yes". The question is far more gray when the patch breaks protocol compat with a major protocol feature.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091211184548.GA46543>