From owner-freebsd-security@FreeBSD.ORG Fri Dec 11 18:44:52 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 06BB41065670 for ; Fri, 11 Dec 2009 18:44:52 +0000 (UTC) (envelope-from chris@noncombatant.org) Received: from strawberry.noncombatant.org (strawberry.noncombatant.org [64.142.6.126]) by mx1.freebsd.org (Postfix) with ESMTP id DC96F8FC23 for ; Fri, 11 Dec 2009 18:44:51 +0000 (UTC) Received: by strawberry.noncombatant.org (Postfix, from userid 1001) id 666E27751E0; Fri, 11 Dec 2009 10:45:48 -0800 (PST) Date: Fri, 11 Dec 2009 10:45:48 -0800 From: Chris Palmer To: freebsd-security@freebsd.org Message-ID: <20091211184548.GA46543@noncombatant.org> References: <4B20D86B.7080800@default.rs> <86my1rm4ic.fsf@ds4.des.no> <4B20E812.508@default.rs> <4B2101D8.7010201@obluda.cz> <86hbrylvyw.fsf@ds4.des.no> <20091210183718.GA37642@noncombatant.org> <20091210190024.GC33752@mdounin.ru> <20091210194632.GA38011@noncombatant.org> <20091211111404.GD33752@mdounin.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20091211111404.GD33752@mdounin.ru> User-Agent: Mutt/1.4.2.3i Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:15.ssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2009 18:44:52 -0000 Maxim Dounin writes: > While talking about "often" - do you have any stats? Anyway, this is > quite a differenet from "all client cert-powered apps" you stated in your > previous message. IIS defaults to renegotiation when doing client cert auth, and Apache certainly can (possibly must? I don't know) work this way as well. See Ray and Dispensa's original paper. http://extendedsubset.com/Renegotiating_TLS.pdf """In particular, practical attacks against HTTPS client certificate authentication have been demonstrated against recent versions of both Microsoft IIS and Apache httpd on a variety of platforms and in conjunction with a variety of client applications.""" So, sure; "all" is an exaggeration, but it's much less wrong than "rarely used". > - not patching is not an option as it leaves unsecure much more > installations. Patching/not patching is not always a black and white question whose answer is always "yes". The question is far more gray when the patch breaks protocol compat with a major protocol feature.