The information below shows wire shark log for my ssl connection to one of my ldap server. In this client certificate length is zero. Please let me know what is meant by this. Is it because of lack of client authentication? For mutual authentication is it mandatory to contain the client certificate?
329 SSLv2 Client Hello
332 TLSv1 Server Hello, Certificate, Certificate Request, Server Hello Done
334 TLSv1 Certificate, Client Key Exchange
336 TLSv1 Change Cipher Spec, Encrypted Handshake Message
337 TLSv1 Change Cipher Spec, Encrypted Handshake Message
In frame 332 shows full certificate information and 334 shows Certificates Length: 0.
in frame 334 client key Exchange contains enough information to pass the premaster-secret.
The
Certificate Requestmessage means that the server requested a client certificate (mandatory or not).An empty
Certificatemessage sent in response by the client means that the client didn’t find a suitable client certificate to use (or chose not to use it).Whether the server wants to carry on with this connection is up to its configuration. Client-certificate authentication can be optional.
This behaviour is described in the [TLS specification][1]:
(This is from the TLS 1.2 specification, in TLS 1.1 and below, it was just […] SHOULD send a certificate message […].)
[1]: https://www.rfc-editor.org/rfc/rfc5246#section-7.4.6