This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Certificate Request Size Change

0

I have two deployments, one is a Virtual Machine, and other is a desktop. I am using WireShark to capture the certificate handshake traffic between a mobile device using SSL to each deployment one at a time. For the virtual machine deployment on cloud --> Device Certificate handshake the size of "certificate Request" is 2374 Bytes. For Desktop connected via LAN to device size of ceritificate is 16000 Bytes.

Why is there a huge size difference?

asked 21 Aug '13, 13:49

Mustafa%20El-Hilo's gravatar image

Mustafa El-Hilo
6224
accept rate: 0%

Certificate Request is NOT the same as Certificate. Without seeing the actual packets it's hard to explain the difference. How about loading it to http://www.cloudshark.org

(21 Aug '13, 14:09) mrEEde

I understand the difference between certificate and certificate request. Why is the certificate request change in size? should they be the same?

(22 Aug '13, 05:34) Mustafa El-Hilo

Ok, so you're saying the 'Certificate Request' is 2374 bytes in size when your server runs in the cloud? Or is it the server "Certificate (chain)"?

And when the server runs on a desktop, the "Certificate (chain)" is 16000 bytes?

Instead of guessing it would really help if you'd paste a trace snippet or hardcopy of the SSL Handshake...

BTW. Does the handshake succeed?

(23 Aug '13, 04:14) mrEEde

Page 47 in http://sharkfest.wireshark.org/sharkfest.12/presentations/MB-1_SSL_Troubleshooting_with%20_Wireshark_Software.pdf shows a Certificate Request with a reasonable length of 159 bytes

(23 Aug '13, 05:35) mrEEde

The certificate Request specifically, and i can't post any wireshark snippets due to security reasons. And for both cases the ssl is completed successfully. I am wonderning if on the VM, since it has a virtual network card, it is not capturing all packets.

(23 Aug '13, 06:30) Mustafa El-Hilo

2 Answers:

1

The certificate request advertises CA's for the client to pick the right client certificate. This is done by listing the Distinguished Name (DN) of each certificate in the certificate bundle that was configured on the server.

So I suspect that the configuration of the webserver in the cloud is listing just a couple of CA's which are under it's administrative domain and the webserver on your own system is listing all the Root CA's in your trust store.

Have a look at the CertficateRequest and look at the DN's to see if they indeed take up most space of the SSL record.

answered 23 Aug '13, 16:07

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

That was the answer i was looking for. Thanks.

(26 Aug '13, 06:09) Mustafa El-Hilo

0

So to summarize: the TLS handshake succeeds in both cases, the server running on a desktop and the server running in the clud (VM). The difference is in the size of Certifcate Request (or is it the certificate chain) and the question(s) is (are)

  • Why is there a huge difference in size? Why (is) does the certificate request change in size?
  • Should they be the same?

Since you can't provide the two "certificate requests" due to security/privacy concerns I (we) can not comment on question number one.

As for question number 2, the answer is 'No' as the handshake succeeds either way so obviously it is a valid TLS/SSL handshake procedure.

answered 23 Aug '13, 14:11

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%