FreeBSD Security Advisory FreeBSD-SA-09:15.ssl
Maxim Dounin
mdounin at mdounin.ru
Fri Dec 11 11:14:06 UTC 2009
Hello!
On Thu, Dec 10, 2009 at 11:46:32AM -0800, Chris Palmer wrote:
> Maxim Dounin writes:
>
> > It's not true. Patch (as well as OpenSSL 0.9.8l) breaks only apps that do
> > not request client certs in initial handshake, but instead do it via
> > renegotiation. It's not really commonly used feature.
>
> The ideal case is not the typical case:
>
> http://extendedsubset.com/Renegotiating_TLS_pd.pdf
>
> The plain fact is that client cert auth often needs reneg in apps as
> deployed in the world. Often, web servers need to check (for example) a
> virtual-host-specific configuration before realizing they need to request
> client cert auth.
While talking about "often" - do you have any stats? Anyway, this
is quite a differenet from "all client cert-powered apps" you
stated in your previous message.
I'm not trying to say this patch doesn't break anything. It does,
and most common case is probably Apache with per-location client
cert configs. But:
- it's not all apps with client certs which are broken, just a
[relatively small as far as I know] share of them;
- not patching is not an option as it leaves unsecure much more
installations.
Maxim Dounin
More information about the freebsd-security
mailing list