Maxim Dounin writes: > It's not true. Patch (as well as OpenSSL 0.9.8l) breaks only apps that do > not request client certs in initial handshake, but instead do it via > renegotiation. It's not really commonly used feature.
The ideal case is not the typical case: http://extendedsubset.com/Renegotiating_TLS_pd.pdf The plain fact is that client cert auth often needs reneg in apps as deployed in the world. Often, web servers need to check (for example) a virtual-host-specific configuration before realizing they need to request client cert auth. _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
