Tracker: Bugs
When sending an indication using HTTPS, a client side certificate is *not*
presented to the indication listener as part of the SSL hand shake. An
indication listener can not authenticate the source of the indication
without this information and this can lead to an 'indication masquerade'.
Using a client side certificate as part of the SSL handshake allows the
indication listener to inspect the client side certificate and using a CA
chain verify that the indication is 'trusted'.
The attached patch solves this problem taking advantage of lib curl's
curl_easy APIs.
Patch details:
* registers server's cert to be used when sending indications.
* uses getControlChars() to read the sslCertificateFilePath and
sslKeyFilePath.
* sets curl options with curl_easy_setopt()
The patch has been tested on a HTTPS based indication listener.
Chris Buccella
sfcb
Security
Public
Comments ( 2 )
|
Date: 2008-03-12 02:20
|
|
Date: 2008-01-11 17:03
|
Attached File ( 1 )
| Filename | Description | Download |
|---|---|---|
| patch.txt | indication sending with client side cert patch | Download |
Changes ( 6 )
| Field | Old Value | Date | By |
|---|---|---|---|
| status_id | Pending | 2008-03-12 02:20 | sf-robot |
| close_date | 2008-01-11 17:03 | 2008-03-12 02:20 | sf-robot |
| status_id | Open | 2008-01-11 17:03 | buccella |
| resolution_id | None | 2008-01-11 17:03 | buccella |
| close_date | - | 2008-01-11 17:03 | buccella |
| File Added | 261268: patch.txt | 2008-01-08 00:07 | peter_nature |
About SourceForge
Develop Software
Community
Copyright © 2009 Geeknet, Inc. All rights reserved. Terms of Use
