2

During SSL communication, the server sends its certificate to the client for authentication.
Optionally, the client could send its certificate too, for client authentication.
My question is, does the server (or client) send the entire chain to the client (i.e. signing certificates) or only its own certificate?
I have noticed that usually only its own certificate is being sent but I was wondering if it is configurable or it does not make sense to send the entire chain to the other party.

Thanks

user76678
  • 349
  • 3
  • 5
  • 16
  • Yes, its configurable. See http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslcertificatechainfile for example. – derobert May 10 '11 at 21:17

2 Answers2

4

It is configurable.

Any cert that is already known by the peer does not need to be sent (with the caveat that each certificate in the certificate_list certificate must directly certify the one preceding it, except the first certificate which does not have a preceding cert)

It never makes sense to send the root, under the assumption that the peer must already possess it in order to validate it in any case. As to intermediate certs, it depends on your particular certificate chain.

Jumbogram
  • 156
  • 2
  • 5
  • @Jumbogram:Does it make any sense to send the whole chain?Isn't it simpler only to keep the peer's certificate in the truststore? What would be the gain to configure the peers to need the whole chain?At least for client side to just keep the server's certificate in the trust store – user76678 May 11 '11 at 04:30
  • Certificates expire. Certificates are replaced for any number of reasons. Keeping server certificates becomes unmanageable. Plus, the protocol requires that the server send at least one certificate (for non-ANON cipher suites). – Jumbogram May 11 '11 at 10:09
  • @Jumbogram:May be I am missing your point.Certificates can expire or replaced, ok.But why would I need to keep the whole chain in the truststore? – user76678 May 11 '11 at 18:02
  • If A signs B signs C, then trusting B implies a trust of A. So in some sense, it isn't necessary to trust B and A (unless A also signed Z signed Y). But space inside the truststore isn't expensive. – Jumbogram May 11 '11 at 20:52
  • The most sensible thing to do is to always send the whole chain except the root. There is little reason not to, and it should always work even if the peer already trusts a certificate below the root in the chain. – President James K. Polk May 11 '11 at 22:36
  • @GregS: some people prefer to avoid sensible behavior. – Jumbogram May 11 '11 at 23:18
2

To answer the part about the client, when the server asks for the client certificate it sends a list of CAs that it recognizes. The client only needs to send its cert chain up to one of those recognized CAs.

user207421
  • 1,010
  • 6
  • 16
  • +1, on this topic, this list is just a hint for the client regarding what the server would be willing to accept. The server doesn't have to accept certs from one of the CAs it lists (although it would be a bit silly, if there's nothing wrong with the client cert), and it can also accept certs from non-listed CAs (intermediate or not). The empty list also works (this is not clearly written in SSLv3/TLSv1, but is explicitly allowed in TLSv1.1). – Bruno May 15 '11 at 15:39
  • @Bruno RFC 2246 says (#7.4.4) CertificateRequest message contains 'a list of the distinguished names of acceptable certificate authorities', and (#7.4.6) 'if no suitable certificate is available, the client should send a certificate message containing no certificates'. I don't see how the client may legally send a cert from an unacceptable CA. – user207421 Jun 29 '11 at 04:40
  • you're right. Not sure why I phrased this comment this way (perhaps I had in mind the emtpy-list case). This being said RFC 4346 (TLS 1.1) puts the emphasis on "SHOULD". Maybe the sentence about "if no cert is available[...]" is more about sending a certificate message at all, rather than focusing on which cert it contains... In practice, the server will always have the last word on what it wishes to accept anyway: situations where it accepts a cert it considers unsuitable would be quite strange. – Bruno Jun 29 '11 at 10:15