httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <di...@webweaving.org>
Subject Re: Server Gated Certs (Was: TLS renegotiation attack, mod_ssl and OpenSSL)
Date Fri, 06 Nov 2009 02:19:26 GMT
Dr Stephen Henson wrote:

> There are two separate types used by Mozilla (Step up?) and Microsoft SSL/TLS
> (SGC?) implementations IIRC. One completes the handshake then starts a new
> session the second cuts it half way through.
>
> Been many years since I looked at those though. I recall having to alter the
> state machine to accommodate the Microsoft flavour. (Checks code, yes look for
> SGC comments in there)

Actually Steve - you may know - what besides the obvious

	extendedKeyUsage=nsSGC,msSGC

in the extension file needs to go into a sub-ca below a 
self-signed-root-chain to make the browsers dance ? Or have they 
hardcoded in some specific CA or similar ? Or is there a test case in 
opnessl which is useful here ? As that would let us do decent tests script.

Thanks,

Dw


Mime
View raw message