Penetration Testing mailing list archives
TLS with mutual authentication
From: Andy Deweirt <andy.deweirt () gmail com>
Date: Thu, 23 Apr 2009 13:25:18 +0200
All, I'm doing some security tests with a reverse proxy which performs mutual authentication using certificates. When sniffing the traffic I see something disturbing: I see the Client Hello, Server Hello, server sending his certificate and requesting the certificate from the client In that last request I can see the server sending a list of all client certificates that the server trusts: Handshake Protocol: Certificate Request Handshake Type: Certificate Request (13) Length: 644 Certificate types count: 2 +Certificate types (2 types) ... [the two types] Distinguished Names Length: 639 +Distinguished Names (639 bytes) ... [list of client certificates] Is that normal TLS v1 behavior? Is it normal that the server sends out client certificates? Should I worry about the security? Kind regards, Andy ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Tired of using other people's tools? Why not learn how to write your own exploits? InfoSec Institute's Advanced Ethical Hacking class teaches you how to write stack and heap buffer overflow exploits for Windows and Linux. Gain your Certified Expert Penetration Tester (CEPT) cert as well. http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.html ------------------------------------------------------------------------
Current thread:
- TLS with mutual authentication Andy Deweirt (Apr 23)
- Re: TLS with mutual authentication Joshua Wright (Apr 26)