Closed
Bug 692154
Opened 13 years ago
Closed 12 years ago
Support the encrypted client certificates TLS extension
Categories
(NSS :: Libraries, enhancement)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: wtc, Assigned: wtc)
Details
Attachments
(2 files, 3 obsolete files)
8.74 KB,
text/plain
|
Details | |
21.82 KB,
patch
|
Details | Diff | Splinter Review |
This TLS extension is specified in the attached draft by Adam Langley draft-agl-tls-encryptedclientcerts-00.html. It addresses the privacy issue of sending a client certificate by sending the Certificate handshake message after the ChangeCipherSpec message.
Assignee | ||
Comment 1•13 years ago
|
||
The attached patch is written by Adam Langley. This patch hasn't been tested in Chrome yet.
Assignee | ||
Comment 2•13 years ago
|
||
agl just submitted the draft to IETF: http://www.ietf.org/id/draft-agl-tls-encryptedclientcerts-00.txt
Attachment #564913 -
Attachment is obsolete: true
Assignee | ||
Comment 3•13 years ago
|
||
Updated the patch to the current NSS trunk and made minor edits.
Attachment #564919 -
Attachment is obsolete: true
Assignee | ||
Comment 4•13 years ago
|
||
I did a thorough review, made some small changes to ssl3con.c (prSpec vs. crSpec, etc.), and added a test case to sslauth.txt. This patch is now of checkin quality, except for the use of unofficial TLS extension number.
Attachment #572721 -
Attachment is obsolete: true
Assignee | ||
Comment 5•12 years ago
|
||
We have decided to abandon this extension. See the Chromium changelist https://chromiumcodereview.appspot.com/10387222/
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → WONTFIX
Comment 6•11 years ago
|
||
In the event that this ever gets resurrected: We need to consider whether this extension implies any guarantee that we will have authenticated the server's certificate before sending the client certificate. In the current libssl code, ssl3_SencClientSecondRound will block the handshake until the server's cert has been authenticated, when otherwise the handshake would continue through the Finished messages before blocking on peer certificate authentication.
You need to log in
before you can comment on or make changes to this bug.
Description
•