httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions
Date Mon, 09 Nov 2009 19:45:46 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055

--- Comment #44 from Ruediger Pluem <rpluem@apache.org> 2009-11-09 12:45:37 CET ---
(In reply to comment #43)
> Ruediger, 
> 
> 1. does the config still vulnerable if user redirects to
> "/mihailp1/www-secure/s" only after double authentication by soft
> (password-pin)?

Yes. 

> 2. why *this* config vulnerable if i disable renegotiation initiated by client?

Server triggered renegotiations have the same problems as client triggered
renegotiations. The only difference is that the MIM needs to know a request a
URL from the server that triggers server triggered renegotiation in contrast to
the client driven renegotiation where the client can decide this at will.
The only way to make your configuration safe is to move

    SSLVerifyDepth 3
    SSLVerifyClient require
    SSLOptions +OptRenegotiate

on the virtual host level and thus protect the whole virtual host.

For more details see:

http://extendedsubset.com/Renegotiating_TLS.pdf
http://extendedsubset.com/Renegotiating_TLS_pd.pdf

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message