AnsweredAssumed Answered

Client Certificates for Mutual SSL

Question asked by Gary Vermeulen on May 27, 2016


Hey all,

 

Quick question regarding mutual SSL

 

If a server enforces mutual SSL on the server hello it sends a list of distinguished names to give the client an idea of which certificates the server will accept. In a web browser (I've tested using Chrome and IE) if you don't have a client certificate that matches one of these you won't get an option to send one through

 

Using curl (among other things) you can send through a client certificate explicitly

 

My question is where (level in the OSI stack) and how (traditional mutual ssl) is this client certificate verified; my guess would be the thumbprint? - Once a client has proved that it has the private key using its public keys the thumbprint is secure

 

The platform that I work on verifies the thumbprint at layer 7 - it was raised as a risk by our networks team that the connection gets this far (I laughed that off but it has been playing on my mind ever since and some professional advice would be well received!)

 

Please forgive me and point me in the right direction if this is a commonly asked question that is available in a different thread

 

Kind regards,

 

Gary

Outcomes