Date: Fri, 11 Dec 2009 14:14:05 +0300 From: Maxim Dounin <mdounin@mdounin.ru> To: Chris Palmer <chris@noncombatant.org> Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:15.ssl Message-ID: <20091211111404.GD33752@mdounin.ru> In-Reply-To: <20091210194632.GA38011@noncombatant.org> References: <4B20D86B.7080800@default.rs> <86my1rm4ic.fsf@ds4.des.no> <4B20E812.508@default.rs> <4B2101D8.7010201@obluda.cz> <86hbrylvyw.fsf@ds4.des.no> <20091210183718.GA37642@noncombatant.org> <20091210190024.GC33752@mdounin.ru> <20091210194632.GA38011@noncombatant.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello! On Thu, Dec 10, 2009 at 11:46:32AM -0800, Chris Palmer wrote: > Maxim Dounin writes: > > > It's not true. Patch (as well as OpenSSL 0.9.8l) breaks only apps that do > > not request client certs in initial handshake, but instead do it via > > renegotiation. It's not really commonly used feature. > > The ideal case is not the typical case: > > http://extendedsubset.com/Renegotiating_TLS_pd.pdf > > The plain fact is that client cert auth often needs reneg in apps as > deployed in the world. Often, web servers need to check (for example) a > virtual-host-specific configuration before realizing they need to request > client cert auth. While talking about "often" - do you have any stats? Anyway, this is quite a differenet from "all client cert-powered apps" you stated in your previous message. I'm not trying to say this patch doesn't break anything. It does, and most common case is probably Apache with per-location client cert configs. But: - it's not all apps with client certs which are broken, just a [relatively small as far as I know] share of them; - not patching is not an option as it leaves unsecure much more installations. Maxim Dounin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091211111404.GD33752>