Re: [TLS] Verifying X.509 Certificate Chains out of order

To: "Nelson B Bolyard" <nelson at bolyard.me>
Subject: Re: [TLS] Verifying X.509 Certificate Chains out of order
From: "Ben Laurie" <benl at google.com>
Date: Sun, 12 Oct 2008 21:34:41 +0100
Cc: IETF TLS Working Group <tls at ietf.org>
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1223843684; bh=GMgjsp3O/3P1odXMGnfwrfL9xAc=; h=DomainKey-Signature:Message-ID:Date:From:To:Subject:Cc: In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-Disposition:References; b=bas2ZjSfcqQLdtAvfam7OaChJB6+FM8K ixELwahbax5J+n08kpirN2eulzIxWVDgxo3TSJXNRUsKFzzxBSw50w==
Domainkey-signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=message-id:date:from:to:subject:cc:in-reply-to: mime-version:content-type:content-transfer-encoding: content-disposition:references; b=ElkZSnrUDfvEW5NSQZjmQBN3D2MvoEwzNMP5XEU6aB7z794Fnlp+r7R2ppzovcrh4 vprfFsbHhVf4+V9V+Qoxg==
In-reply-to: <48F11D66.6040900 at bolyard.me>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <E1KnXuC-00044h-Qp at wintermute01.cs.auckland.ac.nz> <48F11D66.6040900 at bolyard.me>
Sender: tls-bounces at ietf.org

On Sat, Oct 11, 2008 at 10:40 PM, Nelson B Bolyard <nelson at bolyard.me> wrote:
> Peter Gutmann wrote, On 2008-10-08 05:12 PDT:
>> Martin Rex <Martin.Rex at sap.com> writes:
> ANY of the following changes would mitigate these problems:
> - servers implementing TLS session caches, and then not performing FULL
> handshakes on every connection.

FWIW, Apache-SSL does its own caching of client certs because (at
least at the time) OpenSSL's cache didn't store them. I'm not sure if
this has been fixed.
_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

References:
- Re: [TLS] Verifying X.509 Certificate Chains out of order
  - From: Peter Gutmann
- Re: [TLS] Verifying X.509 Certificate Chains out of order
  - From: Nelson B Bolyard

Prev by Date: Re: [TLS] Verifying X.509 Certificate Chains out of order
Next by Date: Re: [TLS] Verifying X.509 Certificate Chains out of order
Previous by thread: Re: [TLS] Verifying X.509 Certificate Chains out of order
Next by thread: Re: [TLS] Verifying X.509 Certificate Chains out of order
Index(es):
- Date
- Thread

Re: [TLS] Verifying X.509 Certificate Chains out of order

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.