Penetration Testing mailing list archives
Re: TLS with mutual authentication
From: Joshua Wright <jwright () hasborg com>
Date: Fri, 24 Apr 2009 07:59:01 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Andy Deweirt wrote:
I'm doing some security tests with a reverse proxy which performs mutual authentication using certificates. When sniffing the traffic I see something disturbing: Handshake Protocol: Certificate Request Handshake Type: Certificate Request (13) Length: 644 Certificate types count: 2 +Certificate types (2 types) ... [the two types] Distinguished Names Length: 639 +Distinguished Names (639 bytes) ... [list of client certificates] Is that normal TLS v1 behavior? Is it normal that the server sends out client certificates? Should I worry about the security?
It's normal for both ends to share the public key information. You can actually click on the key inside of Wireshark, click File - Export - Selected Packet Bytes, and save the certificate as a .cer file which will be a valid DER-encoded file. Without the private key content, however, the threat is minimal. Good eyes though. :) - -Josh -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAknxqYUACgkQapC4Te3oxYwMMACfYmK5J2A0I8uWp9+oC0clbvPT uokAn0CEvK1pHi3CgmnHCgxksCssirFL =bMq3 -----END PGP SIGNATURE----- ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Tired of using other people's tools? Why not learn how to write your own exploits? InfoSec Institute's Advanced Ethical Hacking class teaches you how to write stack and heap buffer overflow exploits for Windows and Linux. Gain your Certified Expert Penetration Tester (CEPT) cert as well. http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.html ------------------------------------------------------------------------
Current thread:
- TLS with mutual authentication Andy Deweirt (Apr 23)
- Re: TLS with mutual authentication Joshua Wright (Apr 26)