What is second hand-shake happening with TLS 1.0
Description of the Issue:
I am trying to connect to TLS 1.0 from the windows laptop to Windows IIS server. We have mutual authentication set-up at IIS.
Please see below the calls made for the handshake:
So it starts with client hello on frame no 4. And then in the next steps Server sends it’s certificate and ciphers are negotiated. And then on frame no 12, the handshake seems finished. And on frame no 13, client starts sending the application data.
But then again on frame no 14, Server sends a hello and we see a second handshake. Please can you answer my below query.
Question>> In mutual authentication, Client requests for Server Certificate. And then Server requests for the Client certificate. And when both of them has authenticated each other’s certificate, client starts sending application data. Isn’t this a normal process for mutual authentication?
Question>> On Frame 13, Client has already started sharing the application data. Then why is IIS asking for a second hand-shake on frame 21?
Question>> It seems the second hand-shake is for getting the client certificate ( Frame 24). But shouldn’t the Server ask for the Client certificate before frame 13.
In case you agree that this IIS behaviour is wrong, please can you suggest as how to fix this.
Thanks in advance.
This scenario happens if the server does not require mutual authentication for all resources but only when accessing specific resources. Thus:
- The initial handshake without client certificates is done (frames 4..12).
- The client sends the HTTP request (frame 13).
- Based on the request the server realizes that the clients likes to access a resource which requires mutual authentication. The server thus requests a new handshake using the Hello Request (frame 14).
- The new handshake is done, this time with client certificates (frames 15..25).
- The server sends the HTTP response after the authentication of the client was successful (frames 26,29).
- Where is a CAcert's password used?
- curl error 35 : failed to receive handshake, SSL/TLS connection failed
- Curl: Fix CURL (51) SSL error: no alternative certificate subject name matches
- How to disable SSL verification in Spring Vault
- gitea using a normal user and https
- Is possible to use Amazon Elastic Beanstalk with SSL (HTTPS) without a Load Balancer?
- Received fatal alert: bad_certificate
- Composer Curl error 60: SSL certificate problem: unable to get local issuer certificate
- Reason to disable CSRF in spring boot
- Composer : SSL certificate problem: unable to get local issuer certificate
- Unable to verify leaf signature
- Java Keytool error after importing certificate , "keytool error: java.io.FileNotFoundException & Access Denied"
- SSL, Connection is not secure
- kubectl unable to connect to server: x509: certificate signed by unknown authority
- Cannot figure out why DTLS handshake does not complete
- file_get_contents(): SSL operation failed with code 1, Failed to enable crypto
- How to Check Subject Alternative Names for a SSL/TLS Certificate?
- Self-Signed CA Certificates Rejected by Android
- AWS Java SDK SSL Certificates
- How to use awx cli?
- nodejs environment variable "NODE_EXTRA_CA_CERTS"
- How to connect to MongoDB with certificate using DataGrip?
- Insomnia : Error: SSL peer certificate or SSH remote key was not OK
- AWS EC2 Spring Boot Deployment - SSL/HTTPS Error after Configuring Route 53, ACM, and GoDaddy
- Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?
- Implicitly trust SSL certificates in iOS app for private API
- Protecting against MitM (https) seeing password with encryption using included pub. key in iOS/Android app
- Docker not able to pull images behind proxy TLS handshake timeout
- How come I can make SSL connections to AWS Postgre RDS, when the ca certificate already expired?
- HTTP to HTTPS Nginx too many redirects