We have a 2way SSL service running. Today we came across an issue that raised a question about a 2way SSL packet capture. In the Certificate exchange we noticed the Client sent a SSL Cert Length 0 (null) which we interpreted as the Client Certificate was not being presented. To our surprise we achieved the same effect when the RootCA's or Intermediate CA's did not match. With all that being said, is there an indicator in the packet to differentiate between the 2 issues? This question is marked "community wiki". asked 24 Feb '15, 19:56  KickAss |
One Answer:
When the client sends a "Certificate" handshake message with cert length 0, it means it did not have a suitable Client Certificate to send to the server. It all depends on the SSL client being used what this means. In case of a browser, it means there either were no client certificates available or the user did not select one to send to the server if there were. Can you elaborate on "To our surprise we achieved the same effect when the RootCA's or Intermediate CA's did not match."? What do you mean by "same effect"? A "Certificate" handshake message with cert length 0 perhaps? And there are several places on the client and server where CA's are configured, so which ones are you talking about exactly in this sentence? answered 25 Feb '15, 01:39  SYN-bit ♦♦ |
Being that we are troubleshooting on the server side only. The captures revealed that the client certificate length was null zero, which led us to believe that the client did not have the client certificate installed. However, upon further review the client did have the cert installed but had different RootCA's. From my understanding that behavior is normal from a client when CA's don't match.
So back to my original question, since the client had different RootCA's than what the server side had. Is there a way to indicate that in a packet capture? To me they look identical to one another but maybe I'm missing something?
The "Certificate" handshake of the client will not be different. However, I would expect an "Alert" message from the client when it can not match the "Certficate" message from the server to any of it's trusted RootCA's. Could you post the handshake messages of the case where the client did not have the right RootCA installed?
If you can supply a capture file (on Cloudshark for instance), that would be great. You can anonimize the file with TraceWrangler if you need to remove the ip addresses and/or the TCP payload of the packets.