-1

I have next case: a client has in its trust store only the root certificate. During TLS handshake a server sends its own certificate signed with an intermediate certificate to the client.

Will SLLEngine on client side download the intermediate certificates to verify the server certificate until engine riches the root certificate that it already has in trust store and thus build a chain of trust and validate server identity?

Plese, clarify the behavior of SSLEngine in Java.

Kirill Liubun
  • 1,965
  • 1
  • 17
  • 35
  • 1
    I'm pretty sure it will not download the intermediate files because almost(?) no TLS engine does it. It is expected that the server provides the intermediate certificates inside the TLS handshake together with the server certificate. – Steffen Ullrich Jul 13 '17 at 17:00
  • Download from where? Why? How would that be secure? – user207421 Jul 15 '17 at 20:02
  • From the intermediate CA, sorry if I ask the dumb question I've never worked with SSLEngine before. – Kirill Liubun Jul 19 '17 at 16:22

1 Answers1

0

No. It will try to unite the certificate chain provided by the server with one of the certificates in the truststore.

Downloading certificates for this purpose doesn't make sense. What the application trusts is defined by the truststore, not by arbitrary downloads.

user207421
  • 305,947
  • 44
  • 307
  • 483