Re: [TLS] Verifying X.509 Certificate Chains out of order

Martin Rex <> Mon, 13 October 2008 19:54 UTC

Return-Path: <>
Received: from [] (localhost []) by (Postfix) with ESMTP id 64EC83A692E; Mon, 13 Oct 2008 12:54:56 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9CFBA3A692E for <>; Mon, 13 Oct 2008 12:54:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.748
X-Spam-Status: No, score=-5.748 tagged_above=-999 required=5 tests=[AWL=0.501, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HMtKQL1Y3vfV for <>; Mon, 13 Oct 2008 12:54:54 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 6A6F73A67AB for <>; Mon, 13 Oct 2008 12:54:54 -0700 (PDT)
Received: from by (26) with ESMTP id m9DJruoq026405; Mon, 13 Oct 2008 21:53:58 +0200 (MEST)
From: Martin Rex <>
Message-Id: <>
To: (Nelson B Bolyard)
Date: Mon, 13 Oct 2008 21:53:48 +0200 (MEST)
In-Reply-To: <> from "Nelson B Bolyard" at Oct 11, 8 02:40:54 pm
MIME-Version: 1.0
X-Scanner: Virus Scanner virwal08
X-SAP: out
Subject: Re: [TLS] Verifying X.509 Certificate Chains out of order
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

Nelson B Bolyard wrote:
> [interesting description snipped]
> Believing that these problems will not be quickly solved, Mozilla is working
> on implementing the ability for the client to remember the
> association of a user-chosen cert with a server, so that it can repeat
> that choice thereafter without bothering the user again.  However, this
> will certainly mask the issues of servers not reusing TLS sessions.

One of the very few features that I like about MSIE is that is has been
memorizing the users decision on a per-server basis for many years already.

With the help of this decision memorizing, MSIE also implements another
useful feature: it closes the SSL connection while it is prompting the
user for a decision.  Leaving the connection open and stalling the
server in the SSL handshake while showing the user a Popup UI for
an indeterminate amount of time is de-facto running a DoS on the server.

There were, however, also two real problems with this approach in MSIE
(I haven't check the current situation):
 1) on first connect to a server, when a CertificateRequest handshake
    message was received, MSIE tried to complete the SSL handshake
    by sending a "No Certificate" Alert or empty ClientCertificate
    handshake message.

    the OK-part:
      When the SSL server terminated the handshake with a fatal error
      after not receiving a certificate, MSIE closed the connection
      and prompted the user with a client certificate selection
      Message box (or tries automatic selection and
      suppress empty selection dialog box in MSIE >5.0).
    the NOT OK-part:
      When the SSL handshake completed successfully without client cert,
      then MSIE would never tell the user that the server asked for a
      client certificate and not offer the user to use one.

 2) if a server for which MSIE memorized to access without client cert
      suddenly would change his behaviour and fail the SSL-handshake
      when receiving the "no client Certificat" alert or empty ClientCert
      handshake message, MSIE would show a popup reporting
      "Unkown SSL error ..." instead of prompting the user to select
      a client certificate.

The only method to request a client certificate from MSIE after
a server lets him pass the SSL handshake without client cert is
to do a renegotiate and ask for the client certificate there.
This will not result in the "Unknown SSL error ...".

Looking at the issue of "what can or should TLS peers memorize", there
seems to be a shortcoming in how IIS caches sessions where it asked
for a client cert (via renegotiate) but didn't receive a client certificate.
Although resuming that session works, IIS will force the handshake through
a renegotiate asking for a client cert on each and every resume (and
by doing the renegotiate, it will issue a new SSL session ID -- which
is going to fill up the session cache of the server and client

TLS mailing list