cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
711
Views
0
Helpful
3
Replies

CSS11500 ssl-server authentication

shday
Level 1
Level 1

I've read the docs regarding a solution for the SSL/TLS renegotiation vulnerability for the CSS devices and I have a question regarding the recommendation of using ssl-server authentication.

In the doc it states that with ssl-server authentication configured ssl connections will require the client to exchange a certificate during the ssl handshake process and that the CSS will verify the cert is valid.  I'm trying to determine if the client certificate is an x.509 certificate, a standard CA the client would issue or is it change that the cert and key matches what I have configured in my ssl-proxy-list????

I have way to many clients to go back and work through a deployment for x.509 so if thats the case is there something else I can do to resolve this vulnerabilty.           

3 Replies 3

Kanwaljeet Singh
Cisco Employee
Cisco Employee

Hi,

Client certs are also x.509 type certs and would be issued by CA. Client authentication is also optional and is used by server to confirm the identity of client to which it is talking to.

Which vulnerability are you referreing to and in which version?

As far as i know client authentication adds an extra parameter of security but is optional.

Regards,

Kanwal

Jorge Bejarano
Level 4
Level 4

What version are you running?

Jorge

sg0810401 (08.10.4.01)

The vulnerability is 

Advisory ID: cisco-sa-20091109-tls

Review Cisco Networking for a $25 gift card