Re: [ssl-users] Client Certificates in Communicator 4.5
Dr Stephen Henson <shenson@drh-consultancy.demon.co.uk> Mon, 23 November 1998 02:00 UTC
Received: from mail.proper.com (mail.proper.com [206.86.127.224]) by ietf.org (8.8.5/8.8.7a) with ESMTP id VAA06725 for <smime-archive@odin.ietf.org>; Sun, 22 Nov 1998 21:00:57 -0500 (EST)
Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id QAA26700 for ietf-smime-bks; Sun, 22 Nov 1998 16:44:16 -0800 (PST)
Received: from post.mail.demon.net (post-11.mail.demon.net [194.217.242.40]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id QAA26696 for <ietf-smime@imc.org>; Sun, 22 Nov 1998 16:44:06 -0800 (PST)
Received: from [193.237.150.98] (helo=drh-consultancy.demon.co.uk) by post.mail.demon.net with esmtp (Exim 2.053 #1) id 0zhkAh-0001LC-00; Mon, 23 Nov 1998 00:48:07 +0000
Message-ID: <3658B031.E9FF7227@drh-consultancy.demon.co.uk>
Date: Mon, 23 Nov 1998 00:45:37 +0000
From: Dr Stephen Henson <shenson@drh-consultancy.demon.co.uk>
Organization: Dr S N Henson
X-Mailer: Mozilla 4.06 [en] (Win95; U)
MIME-Version: 1.0
To: Bodo Moeller <Bodo_Moeller@public.uni-hamburg.de>
CC: "ietf-smime@imc.org" <ietf-smime@imc.org>
Subject: Re: [ssl-users] Client Certificates in Communicator 4.5
References: <m0zheY5-0003b7C@ulf.mali.sub.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smime@imc.org
Precedence: bulk
Bodo Moeller wrote: > > Dr Stephen Henson <shenson@drh-consultancy.demon.co.uk>: > > It's not simply a "provision" to do so, in fact the server is even > obliged to send the list. The relevant definition (from > draft-ietf-tls-protocol-06.txt, but it's the same in the early SSL 3.0 > specs) is > > struct { > ClientCertificateType certificate_types<1..2^8-1>; > DistinguishedName certificate_authorities<3..2^16-1>; > } CertificateRequest; > > <3..2^16-1> means that the list of certification authorities is at > least 3 octets, at most 2^16-1 octets long -- i.e. may not be empty. > I think that SSLeay will send an empty list when > SSL_CTX_set_client_CA_list has not been called, but it is asked to > demand client certificates anyway. SSLeay-based software that > behaves in that way is in violation of the specification. > Yes it does violate the SSL spec in this sense but nevertheless Communicator versions before 4.06 permitted this and client auth worked fine with an empty list. MSIE and Communicator 4.06 and later offer a choice from the supplied list and give rather misleading behaviour when no match is taken: MSIE presents an empty list to choose from and Communicator just says you have no client certificates. > Also note that your wording "There is a provision to just send the > acceptable issuer names not just as part of the server chain" is > misleading. The certificates in the server chain may have nothing to > do with the CAs the server accepts for clients. For example, the > server's certificate might be issued by one of the large commercial > CAs (Verisign, Thawte, ...), but the only accepted client certs might > be those issued be the webmaster's own CA (perhaps used in order to > protect /server-stat and access to the logfiles from the public). > This has to be taken into the context of the original query where the sender was assuming that the acceptable CA list was just communicated by including the CAs as part of the server CA chain. Steve. -- Dr Stephen N. Henson. UK based freelance Cryptographic Consultant. For info see homepage at http://www.drh-consultancy.demon.co.uk/ Email: shenson@drh-consultancy.demon.co.uk PGP key: via homepage.
- Re: [ssl-users] Client Certificates in Communicat… Dr Stephen Henson
- Re: [ssl-users] Client Certificates in Communicat… Dr Stephen Henson