https://community.cisco.com/t5/application-networking/css11500-ssl-server-authentication/m-p/2196039#M40010 <P>I've read the docs regarding a solution for the SSL/TLS renegotiation vulnerability for the CSS devices and I have a question regarding the recommendation of using ssl-server authentication.</P><P></P><P>In the doc it states that with ssl-server authentication configured ssl connections will require the client to exchange a certificate during the ssl handshake process and that the CSS will verify the cert is valid.&nbsp; I'm trying to determine if the client certificate is an x.509 certificate, a standard CA the client would issue or is it change that the cert and key matches what I have configured in my ssl-proxy-list????</P><P></P><P>I have way to many clients to go back and work through a deployment for x.509 so if thats the case is there something else I can do to resolve this vulnerabilty.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P> Wed, 27 Mar 2013 15:52:08 GMT shday 2013-03-27T15:52:08Z https://community.cisco.com/t5/application-networking/css11500-ssl-server-authentication/m-p/2196039#M40010 <P>I've read the docs regarding a solution for the SSL/TLS renegotiation vulnerability for the CSS devices and I have a question regarding the recommendation of using ssl-server authentication.</P><P></P><P>In the doc it states that with ssl-server authentication configured ssl connections will require the client to exchange a certificate during the ssl handshake process and that the CSS will verify the cert is valid.&nbsp; I'm trying to determine if the client certificate is an x.509 certificate, a standard CA the client would issue or is it change that the cert and key matches what I have configured in my ssl-proxy-list????</P><P></P><P>I have way to many clients to go back and work through a deployment for x.509 so if thats the case is there something else I can do to resolve this vulnerabilty.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P> Wed, 27 Mar 2013 15:52:08 GMT https://community.cisco.com/t5/application-networking/css11500-ssl-server-authentication/m-p/2196039#M40010 shday 2013-03-27T15:52:08Z https://community.cisco.com/t5/application-networking/css11500-ssl-server-authentication/m-p/2196040#M40011 <HTML><HEAD></HEAD><BODY><P> Hi, </P><P></P><P>Client certs are also x.509 type certs and would be issued by CA. Client authentication is also optional and is used by server to confirm the identity of client to which it is talking to.</P><P></P><P>Which vulnerability are you referreing to and in which version? </P><P></P><P>As far as i know client authentication adds an extra parameter of security but is optional.</P><P></P><P>Regards,</P><P>Kanwal</P></BODY></HTML> Thu, 28 Mar 2013 09:22:08 GMT https://community.cisco.com/t5/application-networking/css11500-ssl-server-authentication/m-p/2196040#M40011 Kanwaljeet Singh 2013-03-28T09:22:08Z https://community.cisco.com/t5/application-networking/css11500-ssl-server-authentication/m-p/2196041#M40012 <HTML><HEAD></HEAD><BODY><P>What version are you running?</P><P></P><P>Jorge</P></BODY></HTML> Thu, 28 Mar 2013 21:09:51 GMT https://community.cisco.com/t5/application-networking/css11500-ssl-server-authentication/m-p/2196041#M40012 Jorge Bejarano 2013-03-28T21:09:51Z https://community.cisco.com/t5/application-networking/css11500-ssl-server-authentication/m-p/2196042#M40013 <HTML><HEAD></HEAD><BODY><P>sg0810401 (08.10.4.01)</P><P></P><P>The vulnerability is&nbsp; </P><H3>Advisory ID: cisco-sa-20091109-tls</H3></BODY></HTML> Wed, 03 Apr 2013 17:48:32 GMT https://community.cisco.com/t5/application-networking/css11500-ssl-server-authentication/m-p/2196042#M40013 shday 2013-04-03T17:48:32Z