Re: TLSv12 Client Certificate Selection Behavior !!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/06/2019 12:50, Hareesh D wrote:
TLSv12 client is sending RSA certificate even when it dont have digitalSignature bit in keyUsage extension. But RFC5246 sectiin-7.4.6 says its MUST condition for client to send RSA certificate with digitalSignature bit set in keyUsage extension.

1. Though server is rejecting such certificates, not sure why client sends such certificates even when there is MUST condition for this point. Should client send empty certificate list instead of sending wrong one? Client has the provision of sensing empty certificate list when it don't have a suitable certificate according to certificate request.

2. And also client is not checking the certificate_types requested in certificate_message and also server not validating if the response is according to the type requested. Consider server requesting only DSA certificate. Client sending RSA certificate and server accepting it.

Is this behavior valid and according to RFC ?
There's an overarching OpenSSL policy that certificate checks are
done exclusively by the relying end (for client certs, that's the
server), except when certified end is trying to choose from
multiple certificates.

Thus with only one certificate available, the OpenSSL sends the
(untrusted, and in this case inappropriate) certificate, just in
case the server was somehow configured to make a special exception
for this particular case.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux