Return-Path: 
 <dev-return-66651-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-dev-archive@www.apache.org
Received: (qmail 40233 invoked from network); 6 Nov 2009 02:08:07 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 6 Nov 2009 02:08:07 -0000
Received: (qmail 71048 invoked by uid 500); 6 Nov 2009 02:08:06 -0000
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 70983 invoked by uid 500); 6 Nov 2009 02:08:06 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
List-Post: <mailto:dev@httpd.apache.org>
List-Id: <dev.httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 70973 invoked by uid 99); 6 Nov 2009 02:08:06 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 06 Nov 2009 02:08:06 +0000
X-ASF-Spam-Status: No, hits=-2.6 required=5.0
	tests=BAYES_00
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of dirkx@webweaving.org
 designates 213.207.101.183 as permitted sender)
Received: from [213.207.101.183] (HELO pikmeer.webweaving.org)
 (213.207.101.183)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 06 Nov 2009 02:08:03 +0000
Received: from neep.local (216-75-233-115.static.wiline.com [216.75.233.115])
	(authenticated bits=0)
	by pikmeer.webweaving.org (8.14.3/8.14.3) with ESMTP id nA623KPx009879
	(version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=OK)
	for <dev@httpd.apache.org>; Fri, 6 Nov 2009 02:03:22 GMT
	(envelope-from dirkx@webweaving.org)
Message-ID: <4AF384E9.1090607@webweaving.org>
Date: Fri, 06 Nov 2009 02:07:37 +0000
From: Dirk-Willem van Gulik <dirkx@webweaving.org>
User-Agent: Postbox 1.0.1 (Macintosh/2009100516)
MIME-Version: 1.0
To: dev@httpd.apache.org
Subject: Re: Server Gated Certs (Was: TLS renegotiation attack, mod_ssl and
 OpenSSL)
References: <4AF37E14.4090606@webweaving.org>
 <4AF3815A.30506@oss-institute.org>
In-Reply-To: <4AF3815A.30506@oss-institute.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH,
 not delayed by milter-greylist-4.2.2 (pikmeer.webweaving.org
 [213.207.101.183]); Fri, 06 Nov 2009 02:03:22 +0000 (UTC)

Dr Stephen Henson wrote:

> There are two separate types used by Mozilla (Step up?) and Microsoft SSL/TLS
> (SGC?) implementations IIRC. One completes the handshake then starts a new
> session the second cuts it half way through.
>
> Been many years since I looked at those though. I recall having to alter the
> state machine to accommodate the Microsoft flavour. (Checks code, yes look for
> SGC comments in there)

You aware of any command line tool which implements either or both ?

Dw