Re: [CentOS-announce] CVE-2014-0160 CentOS 6 openssl heartbleed workaround

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On 04/10/2014 03:09 AM, Markus Falb wrote:
> 
> I am assuming that client certificates are handed out to staff. Basically you can't
> really control where people install client certificates and which client software is used.
> If one is tricked to do a SSL Handshake with a malicious server, the key of the client
> certificate is leaked. Reissue of the cert won't help because on the other day there
> would be another malicious handshake with another bad server...

No, the server never sees a private client certificate, it only ever has
access to the public certificate, which by its very nature of being
public doesn't really matter if it gets leaked.  No vulnerability on the
server can expose a private client certificate, only a vulnerability on
the client can.


Peter
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux