TLS mutual authentication

1
votes

The information below shows wire shark log for my ssl connection to one of my ldap server. In this client certificate length is zero. Please let me know what is meant by this. Is it because of lack of client authentication? For mutual authentication is it mandatory to contain the client certificate?

329 SSLv2   Client Hello
332 TLSv1   Server Hello, Certificate, Certificate Request, Server Hello Done
334 TLSv1   Certificate, Client Key Exchange
336 TLSv1   Change Cipher Spec, Encrypted Handshake Message
337 TLSv1   Change Cipher Spec, Encrypted Handshake Message

In frame 332 shows full certificate information and 334 shows Certificates Length: 0. in frame 334 client key Exchange contains enough information to pass the premaster-secret.

1
sslssl-certificate

1 Answers

6
votes

The Certificate Request message means that the server requested a client certificate (mandatory or not).

An empty Certificate message sent in response by the client means that the client didn't find a suitable client certificate to use (or chose not to use it).

Whether the server wants to carry on with this connection is up to its configuration. Client-certificate authentication can be optional.

This behaviour is described in the [TLS specification][1]:

This message is only sent if the server requests a certificate. If no suitable certificate is available, the client MUST send a certificate message containing no certificates. That is, the certificate_list structure has a length of zero. If the client does not send any certificates, the server MAY at its discretion either continue the handshake without client authentication, or respond with a fatal handshake_failure alert.

(This is from the TLS 1.2 specification, in TLS 1.1 and below, it was just [...] SHOULD send a certificate message [...].) [1]: https://www.rfc-editor.org/rfc/rfc5246#section-7.4.6