Re: [TLS] Verifying X.509 Certificate Chains out of order

"Ben Laurie" <benl@google.com> Sun, 12 October 2008 21:05 UTC

Return-Path: <tls-bounces@ietf.org>
X-Original-To: tls-archive@ietf.org
Delivered-To: ietfarch-tls-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4FF3C3A6A41; Sun, 12 Oct 2008 14:05:55 -0700 (PDT)
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C87ED3A6A41 for <tls@core3.amsl.com>; Sun, 12 Oct 2008 14:05:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.977
X-Spam-Level:
X-Spam-Status: No, score=-101.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BMU-3mjMBQfi for <tls@core3.amsl.com>; Sun, 12 Oct 2008 14:05:53 -0700 (PDT)
Received: from smtp-out3.google.com (smtp-out.google.com [216.239.33.17]) by core3.amsl.com (Postfix) with ESMTP id 02B5C3A679C for <tls@ietf.org>; Sun, 12 Oct 2008 14:05:51 -0700 (PDT)
Received: from wpaz29.hot.corp.google.com (wpaz29.hot.corp.google.com [172.24.198.93]) by smtp-out.google.com with ESMTP id m9CKYhQd013034 for <tls@ietf.org>; Sun, 12 Oct 2008 21:34:43 +0100
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1223843684; bh=GMgjsp3O/3P1odXMGnfwrfL9xAc=; h=DomainKey-Signature:Message-ID:Date:From:To:Subject:Cc: In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-Disposition:References; b=bas2ZjSfcqQLdtAvfam7OaChJB6+FM8K ixELwahbax5J+n08kpirN2eulzIxWVDgxo3TSJXNRUsKFzzxBSw50w==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=message-id:date:from:to:subject:cc:in-reply-to: mime-version:content-type:content-transfer-encoding: content-disposition:references; b=ElkZSnrUDfvEW5NSQZjmQBN3D2MvoEwzNMP5XEU6aB7z794Fnlp+r7R2ppzovcrh4 vprfFsbHhVf4+V9V+Qoxg==
Received: from rv-out-0506.google.com (rvbk40.prod.google.com [10.140.87.40]) by wpaz29.hot.corp.google.com with ESMTP id m9CKYAsn022073 for <tls@ietf.org>; Sun, 12 Oct 2008 13:34:41 -0700
Received: by rv-out-0506.google.com with SMTP id k40so1451295rvb.13 for <tls@ietf.org>; Sun, 12 Oct 2008 13:34:41 -0700 (PDT)
Received: by 10.114.53.1 with SMTP id b1mr4478994waa.53.1223843681499; Sun, 12 Oct 2008 13:34:41 -0700 (PDT)
Received: by 10.114.192.13 with HTTP; Sun, 12 Oct 2008 13:34:41 -0700 (PDT)
Message-ID: <1b587cab0810121334m5075576aod17cff0ff8220166@mail.gmail.com>
Date: Sun, 12 Oct 2008 21:34:41 +0100
From: "Ben Laurie" <benl@google.com>
To: "Nelson B Bolyard" <nelson@bolyard.me>
In-Reply-To: <48F11D66.6040900@bolyard.me>
MIME-Version: 1.0
Content-Disposition: inline
References: <E1KnXuC-00044h-Qp@wintermute01.cs.auckland.ac.nz> <48F11D66.6040900@bolyard.me>
Cc: IETF TLS Working Group <tls@ietf.org>
Subject: Re: [TLS] Verifying X.509 Certificate Chains out of order
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tls-bounces@ietf.org
Errors-To: tls-bounces@ietf.org

On Sat, Oct 11, 2008 at 10:40 PM, Nelson B Bolyard <nelson@bolyard.me>; wrote:
> Peter Gutmann wrote, On 2008-10-08 05:12 PDT:
>> Martin Rex <Martin.Rex@sap.com>; writes:
> ANY of the following changes would mitigate these problems:
> - servers implementing TLS session caches, and then not performing FULL
> handshakes on every connection.

FWIW, Apache-SSL does its own caching of client certs because (at
least at the time) OpenSSL's cache didn't store them. I'm not sure if
this has been fixed.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls