On 10/05/2009 05:13 AM, Nelson B Bolyard:
Eddy,
We're talking about the status of the client cert, not the server cert.
Yes, exactly!
The client doesn't do a validity check on its own cert before using it.
Really? Do me a favor and perform a few tests against the StartSSL
authentication. For this test please remove first all client
certificates you may have (obviously create a backup first).
- Try to authenticate using NO client certificate installed.
- Then try to use a certificate which has EXPIRED (you must have one
from previous attempts)
- Get a new certificate and I'll REVOKE it for you
- Get another certificate which is valid
We could add another test in which the server sends only the CA root as
the accepted cert, Firefox will fail when the CA issuer is missing (you
must remove it because it gets installed along with the certificate).
Other browsers know to fetch the intermediate CA, unfortunately Firefox
under the disguise of paranoid privacy issue reasons doesn't do that -
as if it matters at all at that stage.
It doesn't check to see if its own cert has been revoked.
Make the test above, please
It doesn't even check to see that it has a complete cert chain.
I will provide you with an authentication utility where the server sends
the root and you don't have the intermediate CA installed.
If it has an unexpired cert from any of the issuers named by the server
(or from ANY issuer, if the server has named no issuers), and the cert's
extensions do not obviously preclude it from being used for client auth,
then the browser will send the cert.
This means, the one and only case it has at least ONE VALID certificate.
For all the other cases Firefox users will see
*ssl_error_handshake_failure_alert* or *-12227* in the older versions
(that was even worse).
If the browser has no cert to send,
it sends a "I have no cert" message.
And what exactly do you expect the server should return in that case?
Probably that you can't authenticate without a certificate...it's about
as lame....
It's entirely up to the server to
decide what to do then. Many servers send back an alert and drop the
connection, but SWS will happily complete the handshake anyway and send back
a nice error page.
I would consider this a bug if it completes the handshake. On what
exactly are they agreeing? On what are they exchanging hands exactly? NUL?
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP: start...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
