Re: [TLS] draft-rescorla-tls-renegotiate.txt

To: nelson at bolyard.me (Nelson B Bolyard)
Subject: Re: [TLS] draft-rescorla-tls-renegotiate.txt
From: Martin Rex <mrex at sap.com>
Date: Sat, 7 Nov 2009 02:00:45 +0100 (MET)
Cc: tls at ietf.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <4AF4BC4E.9080900 at bolyard.me> from "Nelson B Bolyard" at Nov 6, 9 04:16:14 pm
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Reply-to: mrex at sap.com

Nelson B Bolyard wrote:
> 
> Here is an alternative that should have the same user experience and not
> be MITM vulnerable, not even with SSL 3.0 clients:
> 
>    Replace renegotiation with redirection.
> 
> Set up a second https server (process) on the same physical server, e.g
> a different port on the same IP address.  The new server always requests
> client authentication on the initial handshake, not in a renegotiation.

That is actually what our clients usually have to do since the
OEM SSL/TLS library we provide does not support renegotiation on
the server side (its also not in our apps software layers).

There is one itch I have with this:
A number of Web Proxies (like the one of our company) does not
permit HTTP CONNECT to ports other than 443.

Should we ask for an additional port to be officially allocated
to http-over-ssl-with-client-cert so that we can get this past
our security policy (not joking)?

-Martin

Follow-Ups:
- [TLS] Register port for https+client cert (was Re: draft-rescorla-tls-renegotiate.txt)
  - From: Chris Newman

References:
- Re: [TLS] draft-rescorla-tls-renegotiate.txt
  - From: Nelson B Bolyard

Prev by Date: Re: [TLS] draft-rescorla-tls-renegotiate.txt
Next by Date: Re: [TLS] Simple way to drop re-negotiation in HTTP (Re: draft-rescorla-tls-renegotiate.txt)
Previous by thread: Re: [TLS] draft-rescorla-tls-renegotiate.txt
Next by thread: [TLS] Register port for https+client cert (was Re: draft-rescorla-tls-renegotiate.txt)
Index(es):
- Date
- Thread

Re: [TLS] draft-rescorla-tls-renegotiate.txt

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.