[LINK] [OT] Help re RFC 2246. The TLS Protocol
Bernard Robertson-Dunn
brd at iimetro.com.au
Fri Feb 20 02:01:09 AEDT 2009
Roger Clarke wrote:
> At 22:54 +1100 19/2/09, Bernard Robertson-Dunn wrote:
>
>> I need a client initiated SSL session to force mutual authentication ...
>>
>
> I'm no help whatsoever, sorry.
>
> But:
> (a) I reckon lots of linkers will understand the question and why it matters
> (b) some of us will be embarrassed that we're not quite sure where to
> start the research
> (c) many of us will be relieved that even you need to ask the question
>
> And it's certainly not OT, because it has policy implications:
>
Here's the context. I'll let others decide if it's OT.
The situation is a b2b transaction.
A customer wishes to send a purchase order to a supplier. The supplier's
server is configured for mutual authentication and is tested as such.
The supplier turns off mutual authentication on her server. Under RFC
2246, the SSL handshake that invokes mutual authentication is controlled
only by the server. The upshot of all this is that the customer's client
a) has no way of knowing mutual authentication has been turned off and
b) cannot enforce mutual authentication from his end.
If mutual authentication has been turned off, there would appear to be
the possibility of a man in the middle attack. Not only that, but the
customer is unaware of this.
SSL seems to be asymmetric in asserting mutual authentication. This
would appear to be a Bad Thing.
Advice, corrections and help is appreciated.
And I'm still trying to work out what (c), above, means.
--
Regards
brd
Bernard Robertson-Dunn
Canberra Australia
brd at iimetro.com.au
More information about the Link
mailing list