强制Chrome在TLS期间以链状发送所有证书 [英] Force Chrome to send all certificates in chain during TLS

问题描述

我已经编写了TLS代码，该代码正在Java上进行相互身份验证，因此客户端在服务器发送其证书之后发送其证书.我想通过从客户端到服务器端的OCSP验证证书链中的所有证书.

I have written a TLS code which is doing mutual authentication at Java, so client is sending its certificate after server sends its certificate. I would like to validate all the certificates in certificate chain by OCSP which is coming from client side to server side.

我写的循环逻辑是假设最后一个证书是链中的root(CA)证书，并且不发送任何OCSP查询；

I have written my loop logic as assuming that last certificate is root(CA) certificate in the chain and not to send any OCSP query for it;

        int certificateChainSize= x509Certificates.length;

        // Verifies certificate chain respectively (issuer certificate required).
        CertificateResult response = null;

        try {
            for (int i = 0; i < certificateChainSize-1 ; i++) {
                response = client.verify(x509Certificates[i], x509Certificates[i+1]);
            }
        } catch (OcspException e) {
            e.printStackTrace();
        }

当我测试TLS并获取Wireshark捕获时，我意识到作为客户端的Google Chrome浏览器一直在发送证书链而没有root.因此;由于循环逻辑，不查询中间证书，因为我的代码假定中间证书是root.

When I test TLS and get Wireshark capture, I realized that Google Chrome as client has been sending certificate chain without root. As a result; intermediate certificate is not queried because of loop logic, because my code assumed the intermedite certificate is root.

如何强制客户端发送证书链的所有节点?

How can I force client to send all nodes of the certificate chain?

谢谢

推荐答案

我意识到，作为客户端的Google Chrome浏览器一直在发送证书链而无需root.

I realized that Google Chrome as client has been sending certificate chain without root.

那是完全正常的，也是唯一正确的行为.

That is perfectly normal and the only correct behavior.

根证书是信任锚，它必须位于验证证书的一方本地.即使发送了它，在验证证书时也应将其忽略，即仅应使用本地信任锚-否则中间的人只能提供自己的证书链，包括自己的根证书.这意味着在这种情况下，服务器必须已经在本地拥有根证书，因此客户端不需要发送根证书.

The root certificate is the trust anchor which has to be local to the party validating the certificate. Even if it is send it should be ignored when validating the certificate, i.e. only a local trust anchor should be used - otherwise a man in the middle could just provide his own certificate chain including his own root certificte. This means that in this case the server must have the root certificate already locally and thus there is no need for the client to send it.

换句话说:请勿尝试更改Chrome的行为方式，而应根据正确的行为调整您的期望(和您的代码).

In other words: don't try to change how Chrome behaves but instead adjust your expectations (and your code) on what the correct behavior is.

这篇关于强制Chrome在TLS期间以链状发送所有证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！