Date: Thu, 10 Dec 2009 22:00:25 +0300 From: Maxim Dounin <mdounin@mdounin.ru> To: Chris Palmer <chris@noncombatant.org> Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:15.ssl Message-ID: <20091210190024.GC33752@mdounin.ru> In-Reply-To: <20091210183718.GA37642@noncombatant.org> References: <4B20D86B.7080800@default.rs> <86my1rm4ic.fsf@ds4.des.no> <4B20E812.508@default.rs> <4B2101D8.7010201@obluda.cz> <86hbrylvyw.fsf@ds4.des.no> <20091210183718.GA37642@noncombatant.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello! On Thu, Dec 10, 2009 at 10:37:18AM -0800, Chris Palmer wrote: > Dag-Erling Sm??rgrav writes: > > > Do you use client-side certificates? > > This is probably the original poster's problem. FreeBSD Security Advisory > FreeBSD-SA-09:15.ssl made clear that the patch fixes the protocol bug by > removing the broken feature (session renegotiation), but stated incorrectly > that session renegotiation is rarely used. In fact, client certificates work > using renegotiation as the underlying mechanism, and client cert auth is > pretty common. The advisory stated: > > """NOTE WELL: This update causes OpenSSL to reject any attempt to > renegotiate SSL / TLS session parameters. As a result, connections in which > the other party attempts to renegotiate session parameters will break. In > practice, however, session renegotiation is a rarely-used feature, so > disabling this functionality is unlikely to cause problems for most > systems.""" > > So, yeah, everybody: This patch breaks all your client cert-powered apps. > Probably the advisory should have mentioned that. :) It's not true. Patch (as well as OpenSSL 0.9.8l) breaks only apps that do not request client certs in initial handshake, but instead do it via renegotiation. It's not really commonly used feature. Maxim Dounin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091210190024.GC33752>