[prev in list] [next in list] [prev in thread] [next in thread] 

List:       webappsec
Subject:    RE: Evading Client-Certificate Authentication
From:       "email lists" <lists () darrenmackay ! com>
Date:       2004-04-06 22:11:43
Message-ID: 035C9F7CE28601428BBB5B051C9F77F20178E9 () orion
[Download RAW message or body]

There ae 2 ends of the scale for client certificate authentication:

1. ensure the client certs are signed by any known CA (ie - Cas known
the to the web server / web server ssl library)

2. ensure the client certificate CA, subject, fingerprint, etc are what
the web server is expecting.

and of course anywhere in between these 2 extremes. One would home that
the web server is configured towards the latter.

A lot of web servers that I have seen are only confgured for a known CA
and do not perform full checks of the lcient cert (ca, subject,
fngerprint, etc). As the sites appears to be using the versign person
certs for client authentiation, you could obtain your own personal cert
from verisng and attempt to authenticate using your cert - this will
confirm how the client cert authentication process is configured 

That said, if the site in question is only configured to check for a
known CA for the client cert, AND the site uses a private CA, then to
authenticate to the website requires the client cert to be generated
internally in the organsation (assumes the private CA is well protected,
etc)


On Mar 31, 2004, at 3:43 PM, Kevin Vanhaelen wrote:

> whilst in the middle of a Penetration Test I stumbled on a web server
> only
> serving SSL and demanding the client to present
> a certificate to identify himself.
> I tried to nikto it with sslproxy and browse the site thru paros both 
> with a
> temporary Verisign personal certificate.
> No such luck, the server keeps bouncing me off. Even vulnerability 
> scanners
> like Nessus and Retina don't get passed
> the port-scan portion.
>
> Does anyone have an idea to further assess this server? Am I looking
> at a
> mission impossible here maybe?

[prev in list] [next in list] [prev in thread] [next in thread]