Re: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call:

To: pgut001 at cs.auckland.ac.nz (Peter Gutmann)
Subject: Re: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call:
From: Martin Rex <Martin.Rex at sap.com>
Date: Tue, 3 Nov 2009 13:43:16 +0100 (MET)
Cc: mrex at sap.com, channel-binding at ietf.org, tls at ietf.org, sasl at ietf.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <E1N5FLb-0003cr-Qk at wintermute01.cs.auckland.ac.nz> from "Peter Gutmann" at Nov 3, 9 10:06:39 pm
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Reply-to: mrex at sap.com

Peter Gutmann wrote:
> 
> Martin Rex <Martin.Rex at sap.com> writes:
> 
> >Microsoft's implementation (which could be the one referred to by
> >Larry's implementation) has a silly design flaw in its TLS renogiation,
> >and I'm not sure that the previous text is a way to fix it.
> >
> >It is possible to configure Microsoft IIS in a fashion so that it
> >will first perform a TLS handshake with a server-only authentication,
> >and after having received the HTTP request, it will re-negotiate and
> >ask for a client certificate.
> 
> It's not necessarily a design flaw, AFAIK it's a performance optimisation to 
> avoid the server having to maintain state/leave a connection open for an 
> arbitrary amount of time while the user fumbles around with smart cards and 
> certificates and whatnot.

I'm sorry if I have explained myself so badly.

I was NOT talking about the closing of the connection while the
client is prompting the user for selection of a client certificate.
That is actually an extremely appreciated feature of MSIE (the Browser),
a point where most other web browsers are broken in that they
stall the server in the middle of a TLS handshake for an indefinite
amount of time while performing user interaction.

I was refering to a design flaw in server-side session caching of
Microsoft IIS (the Server) when it is configured to perform renegotiation
in order to obtain a client certificate after having seen and evaluated
the request.

-Martin

Follow-Ups:
- [TLS] Unrelated (Re: [CHANNEL-BINDING] RESOLVED (Re: [sasl] lasgt call comments (st Call:)
  - From: Nicolas Williams

References:
- Re: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call:
  - From: Peter Gutmann

Prev by Date: Re: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call:
Next by Date: Re: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call:
Previous by thread: Re: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call:
Next by thread: [TLS] Unrelated (Re: [CHANNEL-BINDING] RESOLVED (Re: [sasl] lasgt call comments (st Call:)
Index(es):
- Date
- Thread

Re: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call:

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.