0

When a HTTPS connection with a client certificate request is done, the client sends a CertificateVerify message with his public certificate so the server can verify that the client has a valid private certificate that matches the public key.

This CertificateVerify has a signed hash made from a common client and server data. How this data is made? It's random? Who makes it? Is the server or is the client that generates this data and sends it to the server? I can't find information about that and I'm unable to read the code (apache2 mod_ssl or openssl).

Besides that, is it possible to get the original data and the hashed signed result sent by the client from the server side (log from apache, PHP)?

All the technical data that I've found about a SSL handshake only makes reference that this is the procedure but not how the data to sign is generated and how the server can "save" it as proof that the authentication is made (How does a server validate the Certificate Verify message in SSL/TLS?)

schroeder
  • 123,438
  • 55
  • 284
  • 319
pauet
  • 3
  • 1
  • What you want to know is how verification is done? right? if this is the case please read about PKI (Public key infrastructure) and how public certificates are stored w.r.t web-servers or system like Linux and Windows. – saurabh Jun 09 '21 at 13:20
  • I know how verification is done, and about PKI. What I don't know is how ClientVerify step is done and what kind of data is used in this step to verify that the client has the valid Private Key. – pauet Jun 09 '21 at 13:27
  • The link that you have specified already mentioned it. The second answer, part 2 trust of client "The signature is produced by the client and verified by the server. The data actually signed is known by client and server and thus not re-sent (it's spaces, a context string, a zero byte and the previous messages)." – saurabh Jun 09 '21 at 13:48
  • But what contains this DATA? What's Previous messages? And, the other question I've made. Is there a way that the server can save this data to a file? – pauet Jun 09 '21 at 15:50

1 Answers1

0

How this data is made?

For TLS 1.2 it is basically all data up to the message - see here for details. For TLS 1.3 it is a bit more complex.

It's random?

Since it is build on the messages sent so far it also contains the random data explicitly contained in these messages.

Who makes it?

The client. But it also contains data the client has received from the server, including random data.

Besides that, is it possible to get the original data and the hashed signed result sent by the client from the server side (log from apache, PHP)?

I don't see any actual real-life use case for this and neither did the authors of the software you mention. So it is not accessible.

It can be cached?

No. The random data it contains are specific to the current TLS session.

All the technical data that I've found about a SSL handshake ...

The authoritative source are the actual TLS standards. Maybe hard to read but its in there.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424