Welcome! Log In Create A New Profile


Re: Issue with SSL client certificate

October 22, 2009 09:06AM
Thank you for responding so quickly.

When HTTPS server requests a client to send certificate, it must send
one or more Distinguished Names in the request. Otherwise the client does
not know what it should send (the client may have many certificate for
different servers). OpenSSL gets these Name from the provided CA certificate.

snipped from Section 7.4.4, Certificate Request, of RFC 5246, TLS Version 1.2 as follows:
A list of the distinguished names [X501] of acceptable
certificate_authorities, represented in DER-encoded format. These
distinguished names may specify a desired distinguished name for a
root CA or for a subordinate CA; thus, this message can be used to
describe known roots as well as a desired authorization space. If
the certificate_authorities list is empty, then the client MAY
send any certificate of the appropriate ClientCertificateType,
unless there is some external arrangement to the contrary.

My interpretation of this clause is that the "certficate_authorities" list is [i]optional[/i], so it is legal to have a zero sized list of distinguished names. OpenSSL seems to handle the zero case fine, generating a CertificateRequest packet that looks like this (example from Wireshark):

Handshake Protocol: Certificate Request
Handshake Type: Certificate Request (13)
Length: 9
Certificate types count: 6
Certificate types (6 types)
Certificate type: RSA Fixed DH (3)
Certificate type: DSS Fixed DH (4)
Certificate type: Unknown (5)
Certificate type: Unknown (6)
Certificate type: RSA Sign (1)
Certificate type: DSS Sign (2)
Distinguished Names Length: 0

The client then responds with whatever cert it deems appropriate, which the server may validate or chose to ignore.

Thanks for your time.
Subject Author Posted

Issue with SSL client certificate

scunningham October 21, 2009 12:10PM

Re: Issue with SSL client certificate

Igor Sysoev October 21, 2009 03:44PM

Re: Issue with SSL client certificate

scunningham October 22, 2009 09:06AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 68
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready