Re: [TLS] Verifying X.509 Certificate Chains out of order

To: tls at ietf.org
Subject: Re: [TLS] Verifying X.509 Certificate Chains out of order
From: Nelson B Bolyard <nelson at bolyard.me>
Date: Mon, 13 Oct 2008 17:56:20 -0700
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
In-reply-to: <E1Kov1Q-00046w-Bx at wintermute01.cs.auckland.ac.nz>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Organization: Network Security Services
References: <E1Kov1Q-00046w-Bx at wintermute01.cs.auckland.ac.nz>
Sender: tls-bounces at ietf.org
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.9.1b1pre) Gecko/20080930003201 NOT Firefox/2.0 SeaMonkey/2.0a2pre

Peter Gutmann wrote, On 2008-10-12 00:05:
> Nelson B Bolyard <nelson at bolyard.me> writes:

>> - Client certs are requested in EVERY handshake.
>> [...]
>> - If the server receives a client certificate that it does not recognize
>>  as being authorized to authenticate any user, instead of ignoring the
>>  cert, and going on to request authentication using one of the other
>>  methods (e.g. user name and password), it drops the connection, usually
>>  without sending any alert.
> 
> Hmm, that's new, the behaviour I saw was that the servers always asked for
> certs but when sent a no-cert response they continued as normal.  What you're
> seeing could just be a variant of the same broken behaviour, only now the
> server does a bit more checking and fails on the cert it doesn't know it's
> asked for rather than just ignoring it.

I think we've been seeing the behaviors of the same product.
As you say, if you send a no-certificate response, the server continues
in the "normal" (no client auth) fashion.  But if you DO provide a client
cert, then the server drops the connection.
_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Verifying X.509 Certificate Chains out of order
  - From: Peter Gutmann

References:
- Re: [TLS] Verifying X.509 Certificate Chains out of order
  - From: Peter Gutmann

Prev by Date: Re: [TLS] Verifying X.509 Certificate Chains out of order
Next by Date: Re: [TLS] Verifying X.509 Certificate Chains out of order
Previous by thread: Re: [TLS] Verifying X.509 Certificate Chains out of order
Next by thread: Re: [TLS] Verifying X.509 Certificate Chains out of order
Index(es):
- Date
- Thread

Re: [TLS] Verifying X.509 Certificate Chains out of order

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.