• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Tim Cooke
  • Campbell Ritchie
  • Ron McLeod
  • Junilu Lacar
  • Liutauras Vilda
Sheriffs:
  • Paul Clapham
  • Jeanne Boyarsky
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Tim Holloway
  • Stephan van Hulst
  • Piet Souris
  • Carey Brown
Bartenders:
  • Jesse Duncan
  • Frits Walraven
  • Mikalai Zaikin

HTTPS

 
Ranch Hand
Posts: 375
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Some document says that SSL requires that, web server sends browser certificate for authentication, and request browser send certificate too. Is that true ? I know for server site it needs to generate key and have certificate signed by CA. but my browser can access lot of "https" site and I never do anything to generate a certificate for it. where and how does server get my browser's certificate ?
 
Ranch Hand
Posts: 820
IntelliJ IDE VI Editor Tomcat Server
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
go to your browser's Tools -> Options -> Encryption -> view certificates and you can see a huge list of certificates that your browser has stored. It is these that the browser presents to the server when the server asks.
 
Rancher
Posts: 43028
76
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

It is these that the browser presents to the server when the server asks.


Is that really the case? My understanding was that those certificates are the ones that the browser accepts as certificates that are valid for signing *server* certificates. In other words, as long as the server certificate is signed with one of the certificates stored in the browser, it is accepted.

Furthermore, I thought that generally the browser does not authenticate itself to the server, since most people do not have a personal certificate installed in their browser anyway ... ?
 
Tim McGuire
Ranch Hand
Posts: 820
IntelliJ IDE VI Editor Tomcat Server
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Ulf Dittmer wrote:In other words, as long as the server certificate is signed with one of the certificates stored in the browser, it is accepted.

Furthermore, I thought that generally the browser does not authenticate itself to the server, since most people do not have a personal certificate installed in their browser anyway ... ?



whoa. My answer is in error. It is the server that must prove itself to the browser and not the other way around. I meant to answer the question of "where does browser get the certificates"
 
Ranch Hand
Posts: 220
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
In SSL/TLS the server must authenticate to the client**. That is the common case you normally see, for example at https://mail.google.com/. Optionally, the server may request that the SSL client also authenticate to the server. This is much rarer, and requires the client to have a certificate.

**of course, there are exceptions to this rule but they aren't important for this discussion.
 
WHAT is your favorite color? Blue, no yellow, ahhhhhhh! Tiny ad:
Free, earth friendly heat - from the CodeRanch trailboss
https://www.kickstarter.com/projects/paulwheaton/free-heat
reply
    Bookmark Topic Watch Topic
  • New Topic