FreeBSD Security Advisory FreeBSD-SA-09:15.ssl
Chris Palmer
chris at noncombatant.org
Fri Dec 11 18:44:52 UTC 2009
Maxim Dounin writes:
> While talking about "often" - do you have any stats? Anyway, this is
> quite a differenet from "all client cert-powered apps" you stated in your
> previous message.
IIS defaults to renegotiation when doing client cert auth, and Apache
certainly can (possibly must? I don't know) work this way as well. See Ray
and Dispensa's original paper.
http://extendedsubset.com/Renegotiating_TLS.pdf
"""In particular, practical attacks against HTTPS client certificate
authentication have been demonstrated against recent versions of both
Microsoft IIS and Apache httpd on a variety of platforms and in conjunction
with a variety of client applications."""
So, sure; "all" is an exaggeration, but it's much less wrong than "rarely
used".
> - not patching is not an option as it leaves unsecure much more
> installations.
Patching/not patching is not always a black and white question whose answer
is always "yes". The question is far more gray when the patch breaks
protocol compat with a major protocol feature.
More information about the freebsd-security
mailing list