On 2/18/10 5:54 AM, Eddy Nigg wrote: > Which reminds me that we were at this stage already in the past. > Basically the authenticated session would have to be relayed through to > the second server, something I rather prefer not to do. I suspect that > there is no other way around that.
You could always patch your servers to support the new protocol. Unfortunately this flaw is not fixed until all servers and all clients are patched, and getting there is going to be painful. If you use apache then patches are available for both mod_nss and mod_ssl. If you use some other server then site admins such as yourself should contact them and press for a solution. You'll need one soon enough, and getting fixes from a non-open-source vendor might take a long lead time. I don't expect to ship a stable version of Firefox with broken SSL client-auth any time soon but it seemed appropriate for "Minefield" testing. We may revisit the Minefield choice if it's breaking too much, but maybe we'll just release note the temporary pref -- Minefield users are supposed to be savvy consumers of alpha software well capable of handling that kind of thing. -Dan Veditz -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
