How is CertificateVerify SSL is created? It can be cached?



  • When a HTTPS connection with a client certificate request is done, the client sends a CertificateVerify message with his public certificate so the server can verify that the client has a valid private certificate that matches the public key.

    This CertificateVerify has a signed hash made from a common client and server data. How this data is made? It's random? Who makes it? Is the server or is the client that generates this data and sends it to the server? I can't find information about that and I'm unable to read the code (apache2 mod_ssl or openssl).

    Besides that, is it possible to get the original data and the hashed signed result sent by the client from the server side (log from apache, PHP)?

    All the technical data that I've found about a SSL handshake only makes reference that this is the procedure but not how the data to sign is generated and how the server can "save" it as proof that the authentication is made (How does a server validate the Certificate Verify message in SSL/TLS?)



  • How this data is made?

    For TLS 1.2 it is basically all data up to the message - see here for details. For TLS 1.3 it is a bit more complex.

    It's random?

    Since it is build on the messages sent so far it also contains the random data explicitly contained in these messages.

    Who makes it?

    The client. But it also contains data the client has received from the server, including random data.

    Besides that, is it possible to get the original data and the hashed signed result sent by the client from the server side (log from apache, PHP)?

    I don't see any actual real-life use case for this and neither did the authors of the software you mention. So it is not accessible.

    It can be cached?

    No. The random data it contains are specific to the current TLS session.

    All the technical data that I've found about a SSL handshake ...

    The authoritative source are the actual TLS standards. Maybe hard to read but its in there.


Log in to reply
 

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2