views:

201

answers:

4

I am planning to implement a small standalone program that will make a https request to a server. Does that require a valid ssl certificate in the client? How does the SSL handshake work in that case? Are there any security issues in the client not have an SSL certificate?

A: 

You dont need a certificate to make a HTTPS connection, but you do need to if you want to know with whom you are communicating.

Visage
+1  A: 

A client certificate is required only if the server requires one. A client certificate allows the server to authenticate the client, but this is only useful if the server has a list of all authorized clients. That's generally not the case with a web server, so it's quite rare for them to require client certificates.

When present, the client-side certificate does not affect establishment of the secure channel. (Only the server's certificate is required for that and adding a client certificate into the mix doesn't change the process.) Once a secure channel is established, the server will use the client's certificate the authenticate the client (generally by comparing the client's public key or name with a list of authorized clients).

Peter Ruderman
+5  A: 

Apart from encrypting the network traffic, HTTPS is normally used to authenticate the server. That is, to give clients reassuring information about who owns the server, etc. For that to work, the client needs to inspect the trust chain in the certificate published by the server. For that to happen automatically, the client machine should have a certificate installed that describes a Certification Authority that issued the server's certificate. Normally such certificates are found on your machine in a store called "Trusted Root Certification Authorities" and most OS come with a set of common CAs already installed.

In addition, many web servers offer a feature where the client can authenticate itself to the server by supplying a client certificate. The web server is able to inspect the certificate coming from the client and map it onto a set of permissions on the server. This "client authentication" is not necessary for a working HTTPS session however, it's just an option.

In short, you don't actually need any certificate on the client, but you will probably want to have a root CA certificate in order to validate the server's identity. If you don't have that certificate it will be impossible for you to trust the server (unless you have another good reason to do so), but you might choose to exchange data with it anyway.

Martin
If client authentication is optional, how does a server encrypt the content sent back in the response to the client? What encryption algorithm does the server use and what would be the public key the server use? Or will the client share the key/algorithm during the initial handshake?
Ram
The client and server agree on a key and crypto method during the initial handshake.
Dave Sherohman
If there is no client authentication, would it not be a security issue as it is possible for a man-in-the-middle to spoof the client pretending to be server?
Ram
Yes, but nobody is suggesting that you should have no client authentication. Just that you don't need a client certificate to authenticate the client. That's just one option. Others are username/password, kerberos, etc.
Martin
But the absence of client authentication doesn't allow someone to pretend to be the server. It allows them to pretend to be a client.
Martin
+2  A: 

If you wish to learn more about the HTTPS handshake and what is negotiated, i fully recommend you look at this excellent write up at moserware

http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html

Cheekysoft