CAcert System Admins discussion list

[Jan Dittberner <jandd AT cacert.org>]

On Mon, Mar 21, 2011 at 02:11:26PM +0100, 
ulrich AT cacert.org
 wrote:
> Hi,
> 
> I've heard no one, who could login with his class3 cert
> into CATS for a while
> but many (all) that cannot
> 
> So, if there is a chance to contact the users
> who did the tests within eg. the last 3 months
> to request the info, if they are using
> a class 1 or class 3 cert we'll probably
> get a better overview what happens.
> 
> As I understand, class 3 access is totaly broken.
> btw. the problems started around the MD5 discussion
> and browser updates eg FF4 started distribution.
> 
> So probably, one test scenario might be, doing tests
> with old browser revisions

This would be a SSL renegotian issue then (i.e. upgrading a Session from
SSL/TLS without client certificate to a session with a client certificate). It
would be interesting whether users with a class 1 certificate and one of the
recently released browsers do have issues too.

There were some issues with specific forms of SSL renegotiation which lead 
some
software projects to disable them or switch to secure renegotiation (available
in openssl 0.9.8m and later).

http://olex.openlogic.com/wazi/2010/ssl-tls-secure-renegotiation/

I think we have to upgrade the affected systems to a recent version of
openssl/Apache to fix this issue. The openssl package in Debian Squeeze (Lenny
backport available) is recent enought. Apache 2.2.16 (in Squeeze and Lenny
backports) can be configured appropriately too.


Regards
Jan

-- 
Jan Dittberner - CAcert Infrastructure Team
Software Architect, Debian Developer
GPG-key: 4096R/558FB8DD 2009-05-10
         B2FF 1D95 CE8F 7A22 DF4C  F09B A73E 0055 558F B8DD
http://www.dittberner.info/

Attachment: smime.p7s
Description: S/MIME cryptographic signature