SSL / TLS客户端对没有DN的证书请求消息的正确响应? [英] Proper response by SSL / TLS client for Certificate Request message with no DNs?
问题描述
SSL / TLS客户端收到具有空DN列表的证书请求消息时,其正确行为是什么?
What is the proper behavior by an SSL/TLS client when it receives a Certificate Request message that has an empty DN list?
以下是看起来很自然的两种可能性:
1)发回空的证书消息
2)选择(或提示用户选择)证书
Here are two possibilities that seem natural: 1) Send back an empty Certificate message 2) select (or prompt user to select) a certificate from among all possible certificates
是否有一个正确的行为,或者是选项OK?我的目标是在我的代码(.Net,WCF)中向服务器提供一个证书,我试图确定是否需要在客户端进行更改以覆盖不发送证书的似乎默认行为,或者如果我需要在服务器端更改实际发送DN列表。
Is there a single correct behavior, or is either option OK? My goal is to provide a certificate in my code (.Net, WCF) to the server, and I'm trying to determine whether I need to make changes on the client side to override the seemingly default behavior of not sending the cert or if I need to make changes on the server side to actually send the DN list.
看起来浏览器将选择选项2,但我的代码使用WCF和.Net是使用选项1.我可以从商店中选择证书,但不会在TLS握手中发送。
It appears that the browser will choose option 2, but my code using WCF and .Net is using option 1. I am able to select the certificate from the store, but it is not being sent in the TLS handshake.
TLS 1.0和1.2规范(RFC 2246和5246)似乎没有提供任何指导这种情况。
The TLS 1.0 and 1.2 specs (RFCs 2246 and 5246) don't seem to provide any guidance on this situation.
推荐答案
这实际上是一个 TLS 1.0 规范和TLS 1.1 / 1.2 有所不同。
This is actually an area where the TLS 1.0 specification and TLS 1.1/1.2 differ.
特别地,以下内容已添加到 TLS 1.1中的第7.4.4节(证书请求):
In particular, the following was added to Section 7.4.4 (Certificate Request) in TLS 1.1:
如果certificate_authorities列表为空,
任何相应ClientCertificateType的证书,除非有
是相反的外部安排。
If the certificate_authorities list is empty then the client MAY send any certificate of the appropriate ClientCertificateType, unless there is some external arrangement to the contrary.
经验(至少使用浏览器和Java / JSSE),这在SSLv3和TLS 1.0的实践中也有效,即使没有关于空列表的说法。
In my experience (at least with browsers and Java/JSSE), this also worked in practice for SSLv3 and TLS 1.0, even if nothing was said about the empty list.
选择要做什么( [...]可以发送任何[...] )。
在任何情况下,即使使用非空CA列表,当多个客户端证书匹配CA条件时,也需要自动或通过UI进行选择。这也是实现相关的,可以根据框架进行定制。
In any case, even with a non-empty CA list, when multiple client certificates match the CA conditions, a choice would need to be made, automatically or via the UI. This is also implementation dependent, and may be customised depending on the framework.
这篇关于SSL / TLS客户端对没有DN的证书请求消息的正确响应?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
