Security Vulnerability: Logged out users authenticated with X509 certificates can log back in without resending personal certificates using the same browser window
This document (7001788) is provided subject to the disclaimer at the end of this document.
Novell Access Manager 3 Support Pack 4 applied
X509 authentication enabled on Identity Server
Problem common to Internet Explorer (IE) and Firefox browsers
Client certificates sent from browser to Identity Server
As long as the browser is not closed (user can even remove smartcard containing X509 certificate!), and the session timeouts have not expired, another user can come and take over the previous users session without being prompted to login again.
You can add a warning here so that users recognise the importance of closing the browser. There are other options to force the Window to close.
Another possible solution is to clear out the SSL cache on the browser after logout. This can be done by going to Internet Options -> Content -> Clear SSL State on IE for example.
1. the browser, in the above case, does not do a full but partial SSL handshake. The client hello that is sent on the subsequent request after the user logs out includes an SSL sessionID, which the server still has reference to in it's cache. By closing the browser and reopening it, the SSL client hello will include an SSL sessionID on 0 and a full handshake will be performed with the SSL server.
2. the tomcat SSL server does not clear the cached entry upon logout of the Identity Server. There is a feature request to include this in future tomcat builds but so far it has not been made available (Apache has this option to clear the SSL state). The defect number for tracking purposes is available at https://issues.apache.org/bugzilla/show_bug.cgi?id=44285. When this is available, the Identity Server can interface into Tomcat's SSL cache and reset the session upon logout. The SSL key regeneration requirement is sent out by the server who initiates the Mutual SSL session (the Identity Server in our case) but as we interface into Tomcat and Tomcat does not provide the option to set this Mutual SSL key regeneration timer, we have to use the workarounds above.
This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7001788
- Creation Date:04-NOV-08
- Modified Date:26-APR-12
- NetIQAccess Manager (NAM)
Did this document solve your problem? Provide Feedback