SSL: Understanding self-signed-certificates

Question

I wondering how self-signed certificates generally getting checked in a SSL connection establishment.

Let's have a look on the self-signed certificates:

• client and server providing a self-signed certificate with its private key (created with OpenSSL e.g.)

• when the server receiving the "ClientHello" message from the client, he is transmitting his certificate to the client.

• The ServerHelloDone message is sent to the client, then the client needs to verify the certificate.

When the client is receiving the server certificate, what are his steps to verify this certificate? I know that self-signed certificates generally shouldn't be used in fact that there is no third-party instance (CA) to check against.

Does the client just accepting the server certificate without any further steps or does the client already provide a server "root" certificate before the connection getting established?

Answer 1

When the client is receiving the server certificate, what are his steps to verify this certificate?

client executes certificate chaining engine to verify the certificate. Important checks are:

1) certificate signature

2) certificate subject. CN attribute in Subject field (or appropriate name in Subject Alternative Name) must match entered URL. For example, you connect to www.example.com, then this name must be listed either in Subject and/or in SAN extension.

3) cert validity

4) cert revocation

5) certificate chains up to a trusted root (presented in self-signed form)

6) other checks defined in RFC5280 (including, but not limited to: enhanced key usage, policy constraints, name constraints, etc.).

in a case of self-signed certificate, certificate chain consist of a single element -- server certificate. In this case, client skips only step 4, because self-signed certificates cannot be revoked. And this self-signed certificate must be explicitly trusted by a client as a trusted root certificate, because all self-signed certificates are root certificates.