Can a particular web page in a web site, authonticate a web request using client side SSL certificate, while others don't?
A:
I believe the most common way to secure a single page is to put it in a subfolder that is SSL-secured.
This article may help: http://www.leastprivilege.com/PartiallySSLSecuredWebAppsWithASPNET.aspx
Dave Swersky
2010-07-15 15:37:05
+1
A:
It's possible using SSL/TLS renegotiation. The way to configure it depends on the server you're using (and whether it supports it).
Note that, at the end of last year (October/November 2009), an SSL/TLS protocol flaw was discovered regarding this feature. SSL/TLS stacks that support renegotiation based on code before that will be vulnerable to the attack. Most libraries did an emergency security update where they disable renegotiation altogether (therefore removing the client-certificate renegotiation). In February 2010, RFC 5746 was published with a fix to this problem, but not all stacks implement it yet.
Bruno
2010-07-15 15:38:35
For implementation status in the underlying SSL/TLS library read this: http://www.phonefactor.com/sslgap/ssl-tls-authentication-patchesAs far as I'm aware, Microsoft/IIS hasn't released any fix to this vulnerability (either stopping bad renegotiation or implementing the fix).
Bruno
2010-07-15 15:59:26
Thank you for the answer, I will try this one.
amz
2010-07-20 15:03:53