0

I'm interested in how a x509 certificate is validated by a client step by step. Let's imagine that a web server and a client wanna talk to each other using secure connection:

  1. Client asks a server for a secure connection
  2. A server exposes its certificate to a client
  3. A client generates an one-time-session encrypted key
  4. Start session...

Are these steps somewhat right?

The actual question is How a client actually can trust the certificate (what fields it verifies with what, does it verify some serial numbers, signatures or issuers, etc?)

k1r1t0
  • 465
  • 2
  • 11
  • 1
    These kind of questions are better suited for [security.se]. And there are already good answers like [SSL Certificate framework 101: How does the browser actually verify the validity of a given server certificate?](https://security.stackexchange.com/questions/56389/ssl-certificate-framework-101-how-does-the-browser-actually-verify-the-validity). – Steffen Ullrich Nov 14 '22 at 14:02
  • *"A client generates an one-time-session encrypted key"* - a) this has nothing to do with certificate validation. b) this is not true for modern key exchange in TLS. Modern key exchange builds the shared secrets based on information from both sides - see [Diffie–Hellman key exchange](https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange). – Steffen Ullrich Nov 14 '22 at 14:05

0 Answers0