Multiple certificates in TLS handshake "certificate" message

Question

My task is to parse server name from HTTPS messages . I have been asked to parse it from "client hello" extensions and also from "certicate", "commonname" field .

There are multiple certificates in "certificate" message . For example when open google with https and listen this via wireshark I see 2 certificates first has commonname "*.google.com" and the second has commonname "Google internet authority" . First one is the server name that I connected the second one is authority who signed the certificate .

My question can I be sure that server name(google.com in my case) will be in first certificate message always . Do I need to care the other certificates in a certificate message if I want to get servername only .

Answer 1

In fact, rfc 2246, 4346 and 5246 (respectively TLS 1.0, TLS 1.1 and TLS 1.2) all state that the server certificate should be the first one :

"This is a sequence (chain) of X.509v3 certificates. The sender's certificate must come first in the list. Each following certificate must directly certify the one preceding it."

It was also clear in SSL 3.0 :

" certificate_list: This is a sequence (chain) of X.509.v3
certificates, ordered with the sender's certificate first followed
by any certificate authority certificates proceeding sequentially
upward."

But in the real world, there is a lot of misconfigured servers sending certificates in whatever order, so you will have to reorder them, sorry.