Installation guide
TLS Renegotiation Attack" provides additional details about this flaw.
In Certificate System, this kind of session renegotiation occurs if a user connects to an end-entity port
that doesn't require client authentication, but then attempts to submit a certificate enrollment form for an
enrollment profile that requires client authentication. T he Certificate System server requests and then
parses a client certificate for the user.
For both client-initiated and server-initiated renegotiation to be fixed, then both the client and server
need to be updated to apply RFC 5746. which resolves the man-in-the-middle vulnerability. For the
Certificate System subsystems, the resolution is supplied through Errata RHBA-2010:0169 and Errata
RHBA-2010:0165, plus these configuration changes.
Certificate System supports several different clients:
Certificate System and third-party RA subsystems (used by both regular users and SCEP services)
TPS subsystems, which connect to the CA for token operations
The Windows Autoenrollment Proxy
Web browsers, which are used by users to connect to the CA's end-entities pages
Updating the system NSS packages on any system that hosts a Certificate System subsystem will take
care of all subsystem communication. When the NSS packages are updated, the CA-RA and CA-T PS
connections will use the new session renegotiation protocol and all of the operations will proceed as
normal.
Additional configuration changes may need to be made for the Windows auto-enrollment proxy or third-
party RAs if those systems aren't updated to use the new renegotiation protocol. Contact Red Hat
support for information on what needs to be done for those clients.
It is unclear on when browser clients will have updates available and applied to use the new session
renegotiation protocol. If these clients aren't updated, but the server is, then the connections to the
subsystem server may fail.
NOTE
These changes are not required if all clients accessing Certificate Systems are upgraded to
support RFC 5746.
Certificate System 8.0 uses the Red Hat Enterprise Linux 5 system NSS packages. Updated NSS
packages for Red Hat Enterprise Linux 5 are available as part of Errata RHBA-2010:0165. Existing
instances need to be reconfigured to add the new port, and direct requests to this port. Any new
instances will automatically have these changes applied.
Procedure 1. For Existing CAs
1. Before making any edits to the CA configuration, back up the following files:
/var/lib/instance_name/webapps/ca/WEB-INF/web.xml
/var/lib/instance_name/web-apps.ee/ca/ee/ca/ProfileSelect.template
/var/lib/instance_name/conf/server.xml
/etc/init.d/instance_name
2. Since database changes are also required, back up the database.
3. Modify the server.xm l file to add the new client authentication end-entities port.
8. Known Issues
23