Client Authentication During SSL Handshake

1. Client Authentication Ssl Handshake
2. Https Client Authentication

SSL-enabled servers can be configured to require client authentication,or cryptographic validation by the server of the client’s identity.When a server configured this way requests client authentication separatepiece of digitally signed data to authenticate itself. The server uses thedigitally signed data to validate the public key in the certificate and toauthenticate the identity the certificate claims to represent.

The SSL protocol requires the client to create a digital signature bycreating a one-way hash from data generated randomly during the handshakeand known only to the client and server. The hash of the data is then encryptedwith the private key that corresponds to the public key in the certificatebeing presented to the server.

• If the client does not provide any certificate in the client’s Certificate message or modssl fails to verify the certificate provided, the TLS handshake will be aborted and a fatal TLS alert message will be sent to the client. The value optional is the same as require, but an empty client’s Certificate message will be tolerated.
• If the client does not provide any certificate in the client’s Certificate message or modssl fails to verify the certificate provided, the TLS handshake will be aborted and a fatal TLS alert message will be sent to the client. The value optional is the same as require, but an empty client’s Certificate message will be tolerated.

Feb 15, 2017 - Both SSL certificate (server) and client certificate encompass the “Issued to” section. Here, for SSL certificate the “Issued to” section's value will.

To authenticate the binding between the public key and the person orother entity identified by the certificate that contains the public key, anSSL-enabled server must receive a yes answer to the firstfour questions shown in Figure 5–10.Although the fifth question is not part of the SSL protocol, directory serverscan be configured to support this requirement to take advantage of the userentry in an LDAP directory as part of the authentication process.

Client Authentication Ssl Handshake

Figure 5–10 Authentication and Verification During SSL Handshake

Https Client Authentication

An SSL-enabled server goes through the following steps to authenticatea user’s identity:

1. Does the user’s public key validate the user’sdigital signature?

   The server checks that the user’s digitalsignature can be validated with the public key in the certificate. If so,the server has established that the public key asserted to belong to JohnDoe matches the private key used to create the signature and that the datahas not been tampered with since it was signed.

   At this point, however, the binding between the public key and the DNspecified in the certificate has not yet been established. The certificatemight have been created by someone attempting to impersonate the user. Tovalidate the binding between the public key and the DN, the server must alsocomplete steps 3 and 4 in this list.

2. Is today’s date within the validity period?

   Theserver checks the certificate’s validity period. If the current dateand time are outside of that range, the authentication process won’tgo any further. If the current date and time are within the certificate’svalidity period, the server goes onto the next step.

3. Is the issuing CA a trusted CA?

   Each SSL-enabledserver maintains a list of trusted CA certificates, represented by the shadedarea on the right—hand side of Figure 5–10. This list determines which certificates the server accepts. If theDN of the issuing CA matches the DN of a CA on the server’s list oftrusted CAs, the answer to this question is yes, and the server goes on tothe next step. If the issuing CA is not on the list, the client is not authenticatedunless the server can verify a certificate chain ending in a CA that is trustedor not trusted within their organizations by controlling the lists of CA certificatesmaintained by clients and servers.

4. Does the issuing CA’s public key validate the issuer’sdigital signature?

   The server uses the public key from the CA’scertificate (which it found in its list of trusted CAs in the previous step)to validate the CA’s digital signature on the certificate being presented.If the information in the certificate has changed since it was signed by theCA or if the public key in the CA certificate doesn’t correspond tothe private key used by the CA to sign the certificate, the server won’tauthenticate the user’s identity. If the CA’s digital signaturecan be validated, the server treats the user’s certificate as a valid “letterof introduction” from that CA and proceeds. At this point, the SSL protocolallows the server to consider the client authenticated and proceed with theconnection as described in step 6. The directory servers may optionally beconfigured to perform step 5 before step 6.

5. Is the user’s certificate listed in the LDAP entry forthe user?

   This optional step provides one way for a system administratorto revoke a user’s certificate even if it passes the tests in all theother steps. The Certificate Management System can automatically remove arevoked certificate from the user’s entry in the LDAP directory. Allservers that are set up to perform this step then refuses to authenticatethat certificate or establish a connection. If the user’s certificatein the directory is identical to the user’s certificate presented inthe SSL handshake, the server goes on to the next step.

6. Is the authenticated client authorized to access the requestedresources?

   The server checks what resources the client is permittedto access according to the server’s access control lists (ACLs) andestablishes a connection with appropriate access. If the server doesn’tget to step 6 for any reason, the user identified by the certificate cannotbe authenticated, and the user is not allowed to access any server resourcesthat require authentication.