Re: Presenting complete cert chain from IIS

From: David Hopwood (david.hopwood_at_zetnet.co.uk)
Date: 09/03/03

• Next message: cnhyde: "S-Tools Information"
• Previous message: cnhyde: "Searching for Andy Brown"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 03 Sep 2003 03:49:56 +0000

-----BEGIN PGP SIGNED MESSAGE-----

kjr wrote:
> I have enabled SSL communication in my IIS. At the client side I
> receive only the leaf certificate used by IIS. How can I configure IIS
> to return the complete chain of certificates?

It is common for SSL servers to omit the CA's root cert, on the grounds
that the client must already have the CA's key in order to verify the
chain. It sounds as though the chain is only two certs long in your case,
and so you are only getting the leaf cert. The SSL spec explicitly allows
servers to do this, so there is not necessarily any way to configure IIS
not to do it (I don't have any direct experience of IIS configuration,
though).

See RFC 2246 section 7.4.2 (this is the TLS specification, but the same
applies to SSL).

BTW, use a more secure server, like Apache. IIS has had more security
bugs than you can shake a stick at, and almost certainly it has many
more undiscovered bugs.

- --
David Hopwood <david.hopwood@zetnet.co.uk>

Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
Nothing in this message is intended to be legally binding. If I revoke a
public key but refuse to specify why, it is because the private key has been
seized under the Regulation of Investigatory Powers Act; see www.fipr.org/rip

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQEVAwUBP1U+GDkCAxeYt5gVAQHnIAgAlpgcGlAXTUeRC0TYIts4PxdvVTni4tUR
mcMutYfKnWzqynEAxHM22RQneyvOrhP0q8ppzK6TpxWZuMcxPyNUzW772adR+9M5
/mZx6KYf4LikH8A4pXpC618b+UbFciPix6J65RDE9V5Xq5rgY99iJ9/89mTMZIT5
qh5yXUYAen/Y8q0OMl7EbMyj1B/fvwYIsopFhmAFfL3pbpKMoe+DcdkZMwNnKnwK
HuCjh3V5+bH3wGKohuavli1uhPG464vLLTEyh4qH5f6XNe1B6vOsuDxn/Hej5Cxk
M2/9DLH56AisvcU4oGpbSVi1JwyO7rFd+1fa/MTUrLt9QCHHyoh9QQ==
=vdp4
-----END PGP SIGNATURE-----

---

• Next message: cnhyde: "S-Tools Information"
• Previous message: cnhyde: "Searching for Andy Brown"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: IIS6.0 + SSL Breaks down! ... Ok, I asked the IIS SSL developer, and he gave me the details. ... bad public specification on SSL make SSL Client Certificates ... (microsoft.public.inetserver.iis) Re: SSL broken after Windows 2003 upgrade ... The svchost.exe you reference is "IIS". ... routes them to the appropriate w3wp.exe based on configuration from WAS ... WFetch can make both a normal SSL request as well as a Client-Certificate ... (microsoft.public.inetserver.iis) Re: Client Certificates - Force a fresh authentication ... State cache of IE seems to keep sending the same client certificate ... I can't see anything I can do server side through IIS or a framework ... The only thing I've found of use is to clear the client's SSL State ... (microsoft.public.inetserver.iis.security) Re: Win2003 Upgrade Broke SSL? ... The reason I say that the upgrade did not break SSL is because IIS has no ... problems relating to port 443 being occupied suggests that you did something ... (microsoft.public.inetserver.iis) Re: WCF webservice over SSL and without ... Based on your further description, you have setup the SSL correctly in IIS server, but encountered some problem visit the WCF service's metadata page, correct? ... \par> Microsoft MSDN Online Support Lead ... (microsoft.public.dotnet.framework.webservices)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)