                                                                                                                                                                                                                                                                
Path: g2news1.google.com!news2.google.com!Xl.tags.giganews.com!border1.nntp.dca.giganews.com!nntp.giganews.com!local2.nntp.dca.giganews.com!nntp.mozilla.org!news.mozilla.org.POSTED!not-for-mail
NNTP-Posting-Date: Thu, 18 Feb 2010 12:26:21 -0600
Date: Thu, 18 Feb 2010 10:26:20 -0800
From: Daniel Veditz <dved...@mozilla.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.8) Gecko/20100213 Shredder/3.0.2pre
MIME-Version: 1.0
Newsgroups: mozilla.dev.tech.crypto
Subject: Re: Fix for the TLS renegotiation bug
References: <H4mdnU9RMMZKr-XWnZ2dnUVZ_vWdnZ2d@mozilla.org>	<T6qdnavxwLt91-XWnZ2dnUVZ_r6dnZ2d@mozilla.org>	<0uqdndSX4fPGV-bWnZ2dnUVZ_vednZ2d@mozilla.org>	<bsidnfbFCqlIBuHWnZ2dnUVZ_tSdnZ2d@mozilla.org> <mailman.5044.1266496666.4112.dev-tech-crypto@lists.mozilla.org> <p-SdndJ7abt-qODWnZ2dnUVZ_tmdnZ2d@mozilla.org> <9PWdnQf_B9I62-DWnZ2dnUVZ_rGdnZ2d@mozilla.org>
In-Reply-To: <9PWdnQf_B9I62-DWnZ2dnUVZ_rGdnZ2d@mozilla.org>
X-Enigmail-Version: 1.0.1
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Message-ID: <cpadnQ8CrJDQG-DWnZ2dnUVZ_qSdnZ2d@mozilla.org>
Lines: 25
X-Usenet-Provider: http://www.giganews.com
NNTP-Posting-Host: 63.249.106.178
X-AuthenticatedUsername: NoAuthUser
X-Trace: sv3-9bDdEnIKYglYuAOnX1CL6FfRhJUrEH1ETpFgJEStF0Q6zTihonXLgJSkwv8gjy4jEVuVdDzV+a54p3D!tQh9LT4KMcG/+st7hOERvwMww8GX+pRba2TwWmXAoDXTiJId63M3f1suftWA6qJXdx+Jq5E2oixW!Jxg6OfXPjOUEJA==
X-Complaints-To: abuse@mozilla.org
X-DMCA-Complaints-To: ab...@mozilla.org
X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your complaint properly
X-Postfilter: 1.3.40

On 2/18/10 5:54 AM, Eddy Nigg wrote:
> Which reminds me that we were at this stage already in the past.
> Basically the authenticated session would have to be relayed through to
> the second server, something I rather prefer not to do. I suspect that
> there is no other way around that.

You could always patch your servers to support the new protocol.
Unfortunately this flaw is not fixed until all servers and all
clients are patched, and getting there is going to be painful.

If you use apache then patches are available for both mod_nss and
mod_ssl. If you use some other server then site admins such as
yourself should contact them and press for a solution. You'll need
one soon enough, and getting fixes from a non-open-source vendor
might take a long lead time.

I don't expect to ship a stable version of Firefox with broken SSL
client-auth any time soon but it seemed appropriate for "Minefield"
testing. We may revisit the Minefield choice if it's breaking too
much, but maybe we'll just release note the temporary pref --
Minefield users are supposed to be savvy consumers of alpha software
well capable of handling that kind of thing.

-Dan Veditz