Issue 13934 - chromium - Chromium will send a client certificate before the server certificate is verified on Windows

Issue 13934:	Chromium will send a client certificate before the server certificate is verified on Windows	‹ Prev 5359 of 8441 Next ›
	3 people starred this issue and may be notified of changes.	Back to list

Status:	Started
Owner:	wtc@chromium.org
Cc:	abarth@chromium.org, ian@chromium.org, jcampan@chromium.org
Type-Bug
Pri-2
OS-Windows
Area-BrowserBackend
Size-Medium

Reported by wtc@chromium.org, Jun 11, 2009

This bug report documents a problem that Chromium will have on Windows (when 
Chromium supports SSL client authentication) because of a limitation of the 
Schannel API.

Under the Schannel, the server certificate is not available until the SSL 
handshake is finished.  So Chromium verifies server certificates after SSL 
handshakes are finished.

But if a server requests SSL client authentication, we must pass a client 
certificate to the Schannel in the middle of a handshake.  So Chromium will 
send a client certificate before the server certificate is verified.

Since IE uses the Schannel, IE has the same problem.

Comment 1 by abarth@chromium.org, Jun 11, 2009

What bad thing happens because of this?

Comment 2 by wtc@chromium.org, Jun 11, 2009

The only bad thing is that you reveal your identity (the info in the certificate)
to the server before you can verify the identity of the server.

Comment 3 by ian@chromium.org, Jun 11, 2009

Is there any plausible way to fix this, short of ditching schannel? If not, I'd suggest 
marking this down as a known issue, file a ticket with MSFT asking for better API 
support, and marking it wontfix.

Comment 4 by wtc@chromium.org, Oct 02, 2009

If I try to get the server certificate as soon as
InitializeSecurityContext returns SEC_I_INCOMPLETE_CREDENTIALS, the
QueryContextAttributes(..., SECPKG_ATTR_REMOTE_CERT_CONTEXT, ...)
call returns SEC_E_INVALID_HANDLE (0x80090301).