ssliismutual-authenticationtls1.0

What is second hand-shake happening with TLS 1.0


Description of the Issue:

I am trying to connect to TLS 1.0 from the windows laptop to Windows IIS server. We have mutual authentication set-up at IIS.

Please see below the calls made for the handshake:

enter image description here

So it starts with client hello on frame no 4. And then in the next steps Server sends it’s certificate and ciphers are negotiated. And then on frame no 12, the handshake seems finished. And on frame no 13, client starts sending the application data.

But then again on frame no 14, Server sends a hello and we see a second handshake. Please can you answer my below query.

Question>> In mutual authentication, Client requests for Server Certificate. And then Server requests for the Client certificate. And when both of them has authenticated each other’s certificate, client starts sending application data. Isn’t this a normal process for mutual authentication?

Question>> On Frame 13, Client has already started sharing the application data. Then why is IIS asking for a second hand-shake on frame 21?

Question>> It seems the second hand-shake is for getting the client certificate ( Frame 24). But shouldn’t the Server ask for the Client certificate before frame 13.

In case you agree that this IIS behaviour is wrong, please can you suggest as how to fix this.

Thanks in advance.


Solution

  • This scenario happens if the server does not require mutual authentication for all resources but only when accessing specific resources. Thus: