Hello! On Thu, Dec 10, 2009 at 11:46:32AM -0800, Chris Palmer wrote:
> Maxim Dounin writes: > > > It's not true. Patch (as well as OpenSSL 0.9.8l) breaks only apps that do > > not request client certs in initial handshake, but instead do it via > > renegotiation. It's not really commonly used feature. > > The ideal case is not the typical case: > > http://extendedsubset.com/Renegotiating_TLS_pd.pdf > > The plain fact is that client cert auth often needs reneg in apps as > deployed in the world. Often, web servers need to check (for example) a > virtual-host-specific configuration before realizing they need to request > client cert auth. While talking about "often" - do you have any stats? Anyway, this is quite a differenet from "all client cert-powered apps" you stated in your previous message. I'm not trying to say this patch doesn't break anything. It does, and most common case is probably Apache with per-location client cert configs. But: - it's not all apps with client certs which are broken, just a [relatively small as far as I know] share of them; - not patching is not an option as it leaves unsecure much more installations. Maxim Dounin _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
