Question on SSL/TLS protocol and self-signed certificate

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Question on SSL/TLS protocol and self-signed certificate

Lusiana Lusiana
Hi,

I'm a newbie with SSL/TLS protocol and hoping someone can enlighten me
on a few things.

My understanding of the TLS protocol is the following:
During a session establishment a server always transmits its
certificate to the client, and the client must validate the
certificate.
Therefore, if the server is using a self-signed certificate, the
certificate must be made available to the client prior to the actual
session establishment attempt.

I tried to test this using OpenSSL s_client connecting to a web server
whose certificate is self-signed. I didn't import server certificate
to the client in prior to testing this.
Therefore, I expected the session establishment would fail as client
had no trusted certificate to verify the server certificate.
However, the s_client seemed to successfully established session to the server.

What am I missing here?
Doesn't client need server's self-signed certificate to validate the
transmitted certificate?
Or is there a setting that allows accepting of self-signed certificate?

Thank you in advance,
Lucy



Snippet of the output from the s_client is as the bottom of the page.

-----------------------------------
CONNECTED(00000003)
depth=0 /C=au/ST=test/O=test/OU=test/CN=test
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=au/ST=test/O=test/OU=test/CN=test
verify return:1
---
Certificate chain
 0 s:/C=au/ST=test/O=test/OU=test/CN=test
   i:/C=au/ST=test/O=test/OU=test/CN=test
---
Server certificate
[output deleted]
subject=/C=au/ST=test/O=test/OU=test/CN=test
issuer=/C=au/ST=test/O=test/OU=test/CN=test
---
No client certificate CA names sent
---
SSL handshake has read 672 bytes and written 252 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID:
[output deleted]
    Verify return code: 18 (self signed certificate)
---
[output of http get deleted]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Question on SSL/TLS protocol and self-signed certificate

Dr. Stephen Henson
On Fri, Jan 20, 2006, Lusiana Lusiana wrote:

>
> I tried to test this using OpenSSL s_client connecting to a web server
> whose certificate is self-signed. I didn't import server certificate
> to the client in prior to testing this.
> Therefore, I expected the session establishment would fail as client
> had no trusted certificate to verify the server certificate.
> However, the s_client seemed to successfully established session to the server.
>
> What am I missing here?
> Doesn't client need server's self-signed certificate to validate the
> transmitted certificate?
> Or is there a setting that allows accepting of self-signed certificate?
>

The s_client utility is a test utility which will continue with a connection
after a certificate chain verification failure. A normal client would exit
under those circumstances.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Question on SSL/TLS protocol and self-signed certificate

Lusiana Lusiana
On 1/20/06, Dr. Stephen Henson <[hidden email]> wrote:
>
> The s_client utility is a test utility which will continue with a connection
> after a certificate chain verification failure. A normal client would exit
> under those circumstances.
Hi Steve,

Thank you very much for the prompt reply.
The information is spot on.

Regards,
Lucy

>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]