Reputation: 445
The information below shows wire shark log for my ssl connection to one of my ldap server. In this client certificate length is zero. Please let me know what is meant by this. Is it because of lack of client authentication? For mutual authentication is it mandatory to contain the client certificate?
329 SSLv2 Client Hello
332 TLSv1 Server Hello, Certificate, Certificate Request, Server Hello Done
334 TLSv1 Certificate, Client Key Exchange
336 TLSv1 Change Cipher Spec, Encrypted Handshake Message
337 TLSv1 Change Cipher Spec, Encrypted Handshake Message
In frame 332 shows full certificate information and 334 shows Certificates Length: 0. in frame 334 client key Exchange contains enough information to pass the premaster-secret.
Upvotes: 1
Views: 3300
Reputation: 122749
The Certificate Request
message means that the server requested a client certificate (mandatory or not).
An empty Certificate
message sent in response by the client means that the client didn't find a suitable client certificate to use (or chose not to use it).
Whether the server wants to carry on with this connection is up to its configuration. Client-certificate authentication can be optional.
This behaviour is described in the [TLS specification][1]:
This message is only sent if the server requests a certificate. If no suitable certificate is available, the client MUST send a certificate message containing no certificates. That is, the certificate_list structure has a length of zero. If the client does not send any certificates, the server MAY at its discretion either continue the handshake without client authentication, or respond with a fatal handshake_failure alert.
(This is from the TLS 1.2 specification, in TLS 1.1 and below, it was just [...] SHOULD send a certificate message [...].) [1]: https://www.rfc-editor.org/rfc/rfc5246#section-7.4.6
Upvotes: 6