Skip to Main Content

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

TLS Handshake, Client Authentication,missing CertificateVerify Message

843811Feb 8 2008 — edited Feb 9 2008
Hi,

According to the TLS 1.0 specification (rfc2246) there are 2 additional client messages if client authentication is used.

- client certificate: the clients certificate chain
- certificate verify: a digitally signed hash of the handshake messages so far

the specification states for the certificate verify message:
"This message is only sent following a client
certificate that has signing capability (i.e. all certificates
except those containing fixed Diffie-Hellman parameters). When
sent, it will immediately follow the client key exchange message.
"

During a TLS-Handshake with Client-Authentication using JSSE (Java 1.4.2.) on the client using a keystore which contains ONLY a certificate without the corresponding private key the client sends only the client certificate message but no certificate verify.

While i understand that the client is not able to sign the hash without the corresponding private key I wonder if this behavior (sending the certificate without the certificate verify message) is correct according to the TLS 1.0 specification.

my question (for these who would not read the stuff above ;) ):

- is it a correct implementation of the TLS handshake protocol to skip the client verify message if the client does not possess the private key of the used certificate

- (non-java) does someone know a way to force a SCHANNEL (windows) server implementation to reject connections where the certificate verify message is missing
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Mar 8 2008
Added on Feb 8 2008
3 comments
848 views