mailing list archives
RE: Evading Client-Certificate Authentication
From: "email lists" <lists () darrenmackay com>
Date: Wed, 7 Apr 2004 08:11:43 +1000
There ae 2 ends of the scale for client certificate authentication:
1. ensure the client certs are signed by any known CA (ie - Cas known
the to the web server / web server ssl library)
2. ensure the client certificate CA, subject, fingerprint, etc are what
the web server is expecting.
and of course anywhere in between these 2 extremes. One would home that
the web server is configured towards the latter.
A lot of web servers that I have seen are only confgured for a known CA
and do not perform full checks of the lcient cert (ca, subject,
fngerprint, etc). As the sites appears to be using the versign person
certs for client authentiation, you could obtain your own personal cert
from verisng and attempt to authenticate using your cert - this will
confirm how the client cert authentication process is configured
That said, if the site in question is only configured to check for a
known CA for the client cert, AND the site uses a private CA, then to
authenticate to the website requires the client cert to be generated
internally in the organsation (assumes the private CA is well protected,
On Mar 31, 2004, at 3:43 PM, Kevin Vanhaelen wrote:
whilst in the middle of a Penetration Test I stumbled on a web server
serving SSL and demanding the client to present
a certificate to identify himself.
I tried to nikto it with sslproxy and browse the site thru paros both
temporary Verisign personal certificate.
No such luck, the server keeps bouncing me off. Even vulnerability
like Nessus and Retina don't get passed
the port-scan portion.
Does anyone have an idea to further assess this server? Am I looking
mission impossible here maybe?