HomeDebug SSL issue – part 2 (2 way SSL)

Debug SSL issue – part 2 (2 way SSL)

May 25, 2017May 25, 2017 shrikant patel Technical1 way SSL, 2 way ssl, CA, Certificate Authority, https, identity store, identitystore, java key store, javakeystore, jks, one way SSL, PKI, private key, public key, SSL, trust store, Truststore, two way SSL

I covered 1 way SSL debug in – Debug SSL issue – part 1 (1 way SSL)

The only difference with 2 way SSL is additional step to verify the client certificate.

In *** ServerHello, TLSv1.2, the server challenges client to provide its certificate as well, you see below at the end of the server hello

*** CertificateRequest
Cert Types: RSA, DSS
Cert Authorities:
<CN=XXXXXXXXXXxXXXXX>
<OU=XXXXXXXXXXXXXXX>
<CN=XXXXXXXXXXXXXXXx>

Basically server is asking client provide a certificate that signed by any of the certificate authority (CA) provided in the list. Server only trust these CAs.
Client does look up in keystore \ identity store to find cert that match the list above. If it find one, it sends that cert to server.
Server that validates the cert sent by client, if it find that cert or cert chain in trust store, it prints

matching alias: XXXXXX
*** Certificate chain
chain [0] = […………

The next steps are similar to 1 way SSL.

Leave a comment Cancel reply