FreeBSD Security Advisory FreeBSD-SA-09:15.ssl
Chris Palmer
chris at noncombatant.org
Thu Dec 10 19:45:38 UTC 2009
Maxim Dounin writes:
> It's not true. Patch (as well as OpenSSL 0.9.8l) breaks only apps that do
> not request client certs in initial handshake, but instead do it via
> renegotiation. It's not really commonly used feature.
The ideal case is not the typical case:
http://extendedsubset.com/Renegotiating_TLS_pd.pdf
The plain fact is that client cert auth often needs reneg in apps as
deployed in the world. Often, web servers need to check (for example) a
virtual-host-specific configuration before realizing they need to request
client cert auth.
More information about the freebsd-security
mailing list