Skip to main content

4. TLS Client and Server Handshake Behavior

4. TLS Client and Server Handshake Behavior

This specification extends the ClientHello and the ServerHello messages, according to the extension procedures defined in [RFC5246]. It does not extend or modify any other TLS message.

Note: No new cipher suites are required to use raw public keys. All existing cipher suites that support a key exchange method compatible with the defined extension can be used.

The high-level message exchange in Figure 5 shows the client_certificate_type and server_certificate_type extensions added to the client and server hello messages.

 client_hello,
 client_certificate_type,
 server_certificate_type   ->

                           <-  server_hello,
                               client_certificate_type,
                               server_certificate_type,
                               certificate,
                               server_key_exchange,
                               certificate_request,
                               server_hello_done
 certificate,
 client_key_exchange,
 certificate_verify,
 change_cipher_spec,
 finished                  ->

                           <- change_cipher_spec,
                              finished

 Application Data        <------->     Application Data

Figure 5: Basic Raw Public Key TLS Exchange

4.1. Client Hello

In order to indicate the support of raw public keys, clients include the client_certificate_type and/or the server_certificate_type extensions in an extended client hello message. The hello extension mechanism is described in Section 7.4.1.4 of TLS 1.2 [RFC5246].

The client_certificate_type extension in the client hello indicates the certificate types the client is able to provide to the server, when requested using a certificate_request message.

The server_certificate_type extension in the client hello indicates the types of certificates the client is able to process when provided by the server in a subsequent certificate payload.

The client_certificate_type and server_certificate_type extensions sent in the client hello each carry a list of supported certificate types, sorted by client preference. When the client supports only one certificate type, it is a list containing a single element.

The TLS client MUST omit certificate types from the client_certificate_type extension in the client hello if it does not possess the corresponding raw public key or certificate that it can provide to the server when requested using a certificate_request message, or if it is not configured to use one with the given TLS server. If the client has no remaining certificate types to send in the client hello, other than the default X.509 type, it MUST omit the client_certificate_type extension in the client hello.

The TLS client MUST omit certificate types from the server_certificate_type extension in the client hello if it is unable to process the corresponding raw public key or other certificate type. If the client has no remaining certificate types to send in the client hello, other than the default X.509 certificate type, it MUST omit the entire server_certificate_type extension from the client hello.

4.2. Server Hello

If the server receives a client hello that contains the client_certificate_type extension and/or the server_certificate_type extension, then three outcomes are possible:

  1. The server does not support the extension defined in this document. In this case, the server returns the server hello without the extensions defined in this document.

  2. The server supports the extension defined in this document, but it does not have any certificate type in common with the client. Then, the server terminates the session with a fatal alert of type "unsupported_certificate".

  3. The server supports the extensions defined in this document and has at least one certificate type in common with the client. In this case, the processing rules described below are followed.

The client_certificate_type extension in the client hello indicates the certificate types the client is able to provide to the server, when requested using a certificate_request message. If the TLS server wants to request a certificate from the client (via the certificate_request message), it MUST include the client_certificate_type extension in the server hello. This client_certificate_type extension in the server hello then indicates the type of certificates the client is requested to provide in a subsequent certificate payload. The value conveyed in the client_certificate_type extension MUST be selected from one of the values provided in the client_certificate_type extension sent in the client hello. The server MUST also include a certificate_request payload in the server hello message.

If the server does not send a certificate_request payload (for example, because client authentication happens at the application layer or no client authentication is required) or none of the certificates supported by the client (as indicated in the client_certificate_type extension in the client hello) match the server-supported certificate types, then the client_certificate_type payload in the server hello MUST be omitted.

The server_certificate_type extension in the client hello indicates the types of certificates the client is able to process when provided by the server in a subsequent certificate payload. If the client hello indicates support of raw public keys in the server_certificate_type extension and the server chooses to use raw public keys, then the TLS server MUST place the SubjectPublicKeyInfo structure into the Certificate payload. With the server_certificate_type extension in the server hello, the TLS server indicates the certificate type carried in the Certificate payload. This additional indication enables avoiding parsing ambiguities since the Certificate payload may contain either the X.509 certificate or a SubjectPublicKeyInfo structure. Note that only a single value is permitted in the server_certificate_type extension when carried in the server hello.

4.3. Client Authentication

When the TLS server has specified RawPublicKey as the client_certificate_type, authentication of the TLS client to the TLS server is supported only through authentication of the received client SubjectPublicKeyInfo via an out-of-band method.

4.4. Server Authentication

When the TLS server has specified RawPublicKey as the server_certificate_type, authentication of the TLS server to the TLS client is supported only through authentication of the received client SubjectPublicKeyInfo via an out-of-band method.

Last updated on