WebApp Sec mailing list archives
RE: Evading Client-Certificate Authentication
From: "email lists" <lists () darrenmackay com>
Date: Wed, 7 Apr 2004 08:11:43 +1000
There ae 2 ends of the scale for client certificate authentication: 1. ensure the client certs are signed by any known CA (ie - Cas known the to the web server / web server ssl library) 2. ensure the client certificate CA, subject, fingerprint, etc are what the web server is expecting. and of course anywhere in between these 2 extremes. One would home that the web server is configured towards the latter. A lot of web servers that I have seen are only confgured for a known CA and do not perform full checks of the lcient cert (ca, subject, fngerprint, etc). As the sites appears to be using the versign person certs for client authentiation, you could obtain your own personal cert from verisng and attempt to authenticate using your cert - this will confirm how the client cert authentication process is configured That said, if the site in question is only configured to check for a known CA for the client cert, AND the site uses a private CA, then to authenticate to the website requires the client cert to be generated internally in the organsation (assumes the private CA is well protected, etc) On Mar 31, 2004, at 3:43 PM, Kevin Vanhaelen wrote:
whilst in the middle of a Penetration Test I stumbled on a web server only serving SSL and demanding the client to present a certificate to identify himself. I tried to nikto it with sslproxy and browse the site thru paros both with a temporary Verisign personal certificate. No such luck, the server keeps bouncing me off. Even vulnerability scanners like Nessus and Retina don't get passed the port-scan portion. Does anyone have an idea to further assess this server? Am I looking at a mission impossible here maybe?
Current thread:
- Re: Evading Client-Certificate Authentication Imre Kertesz (Mar 31)
- Re: Evading Client-Certificate Authentication Kevin Vanhaelen (Apr 01)
- Re: Evading Client-Certificate Authentication Rogan Dawes (Apr 02)
- <Possible follow-ups>
- Re: Evading Client-Certificate Authentication Jason (Apr 01)
- RE: Evading Client-Certificate Authentication Rob Shein (Apr 01)
- Re: Evading Client-Certificate Authentication danielrm26 (Apr 04)
- RE: Evading Client-Certificate Authentication email lists (Apr 07)
- Re: Evading Client-Certificate Authentication Kevin Vanhaelen (Apr 01)