AnsweredAssumed Answered

Client Certificates for Mutual SSL

Question asked by Gary Vermeulen on May 27, 2016

Hey all,


Quick question regarding mutual SSL


If a server enforces mutual SSL on the server hello it sends a list of distinguished names to give the client an idea of which certificates the server will accept. In a web browser (I've tested using Chrome and IE) if you don't have a client certificate that matches one of these you won't get an option to send one through


Using curl (among other things) you can send through a client certificate explicitly


My question is where (level in the OSI stack) and how (traditional mutual ssl) is this client certificate verified; my guess would be the thumbprint? - Once a client has proved that it has the private key using its public keys the thumbprint is secure


The platform that I work on verifies the thumbprint at layer 7 - it was raised as a risk by our networks team that the connection gets this far (I laughed that off but it has been playing on my mind ever since and some professional advice would be well received!)


Please forgive me and point me in the right direction if this is a commonly asked question that is available in a different thread


Kind regards,