• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Liutauras Vilda
  • Jeanne Boyarsky
  • paul wheaton
Sheriffs:
  • Ron McLeod
  • Devaka Cooray
  • Henry Wong
Saloon Keepers:
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Tim Moores
  • Mikalai Zaikin
Bartenders:
  • Frits Walraven

HTTPS

 
Ranch Hand
Posts: 375
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Some document says that SSL requires that, web server sends browser certificate for authentication, and request browser send certificate too. Is that true ? I know for server site it needs to generate key and have certificate signed by CA. but my browser can access lot of "https" site and I never do anything to generate a certificate for it. where and how does server get my browser's certificate ?
 
Ranch Hand
Posts: 820
IntelliJ IDE VI Editor Tomcat Server
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
go to your browser's Tools -> Options -> Encryption -> view certificates and you can see a huge list of certificates that your browser has stored. It is these that the browser presents to the server when the server asks.
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

It is these that the browser presents to the server when the server asks.


Is that really the case? My understanding was that those certificates are the ones that the browser accepts as certificates that are valid for signing *server* certificates. In other words, as long as the server certificate is signed with one of the certificates stored in the browser, it is accepted.

Furthermore, I thought that generally the browser does not authenticate itself to the server, since most people do not have a personal certificate installed in their browser anyway ... ?
 
Tim McGuire
Ranch Hand
Posts: 820
IntelliJ IDE VI Editor Tomcat Server
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Ulf Dittmer wrote:In other words, as long as the server certificate is signed with one of the certificates stored in the browser, it is accepted.

Furthermore, I thought that generally the browser does not authenticate itself to the server, since most people do not have a personal certificate installed in their browser anyway ... ?



whoa. My answer is in error. It is the server that must prove itself to the browser and not the other way around. I meant to answer the question of "where does browser get the certificates"
 
Ranch Hand
Posts: 220
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
In SSL/TLS the server must authenticate to the client**. That is the common case you normally see, for example at https://mail.google.com/. Optionally, the server may request that the SSL client also authenticate to the server. This is much rarer, and requires the client to have a certificate.

**of course, there are exceptions to this rule but they aren't important for this discussion.
 
Get out of my mind! Look! A tiny ad!
Gift giving made easy with the permaculture playing cards
https://coderanch.com/t/777758/Gift-giving-easy-permaculture-playing
reply
    Bookmark Topic Watch Topic
  • New Topic