FreeBSD Security Advisory FreeBSD-SA-09:15.ssl
Maxim Dounin
mdounin at mdounin.ru
Thu Dec 10 19:18:23 UTC 2009
Hello!
On Thu, Dec 10, 2009 at 10:37:18AM -0800, Chris Palmer wrote:
> Dag-Erling Sm??rgrav writes:
>
> > Do you use client-side certificates?
>
> This is probably the original poster's problem. FreeBSD Security Advisory
> FreeBSD-SA-09:15.ssl made clear that the patch fixes the protocol bug by
> removing the broken feature (session renegotiation), but stated incorrectly
> that session renegotiation is rarely used. In fact, client certificates work
> using renegotiation as the underlying mechanism, and client cert auth is
> pretty common. The advisory stated:
>
> """NOTE WELL: This update causes OpenSSL to reject any attempt to
> renegotiate SSL / TLS session parameters. As a result, connections in which
> the other party attempts to renegotiate session parameters will break. In
> practice, however, session renegotiation is a rarely-used feature, so
> disabling this functionality is unlikely to cause problems for most
> systems."""
>
> So, yeah, everybody: This patch breaks all your client cert-powered apps.
> Probably the advisory should have mentioned that. :)
It's not true. Patch (as well as OpenSSL 0.9.8l) breaks only apps
that do not request client certs in initial handshake, but instead
do it via renegotiation. It's not really commonly used feature.
Maxim Dounin
More information about the freebsd-security
mailing list