Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

TLS with mutual authentication

From: Andy Deweirt <andy.deweirt () gmail com>
Date: Thu, 23 Apr 2009 13:25:18 +0200
All,

I'm doing some security tests with a reverse proxy which performs
mutual authentication using certificates. When sniffing the traffic I
see something disturbing:
I see the Client Hello, Server Hello, server sending his certificate
and requesting the certificate from the client
In that last request I can see the server sending a list of all client
certificates that the server trusts:

Handshake Protocol: Certificate Request
 Handshake Type: Certificate Request (13)
 Length: 644
 Certificate types count: 2
 +Certificate types (2 types)
   ... [the two types]
 Distinguished Names Length: 639
 +Distinguished Names (639 bytes)
   ... [list of client certificates]

Is that normal TLS v1 behavior? Is it normal that the server sends out
client certificates? Should I worry about the security?



Kind regards,
Andy

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Tired of using other people's tools? Why not learn how to write your own exploits? 
InfoSec Institute's Advanced Ethical Hacking class teaches you how to write stack and heap buffer overflow exploits for 
Windows and Linux. Gain your Certified Expert Penetration Tester (CEPT) cert as well. 

http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.html
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: