On 18/07/2013 4:36 PM, Edwin Van Schaick wrote:
Hi Pete,
Thank you for your response. The server I try to access is a local
server with a certificate chain of three certificates. When I access
the server using a browser, I can view the chain with a root CA, a
technical CA inbetween and the server certificate itself. For some
reason I don't receive them when using the TlsProtocolHandler class.
At this moment I don't know if the server returns all certificates and
if not why that happens.
NotifyServerCertificate is sending you the server Certificate message.
If there's only one entry in the list, the server only sent one. If you
suspect the BC implementation, then use e.g. Wireshark to inspect the
network packets.
The fact that the browser displays a chain only means that the browser
was able to construct the chain "somehow", typically by already having
the other certificates installed. Indeed, you have to be able to
construct the chain to validate it. You should be able to view these
installed certificates in your browser settings somewhere.
For SSL Pinning I want to receive the root CA from the server to be
able to guarantee that it is indeed the correct root CA.
Just take pinning out of the equation for a moment. How are you going to
figure out the certificate chain in order to validate it? The TLS
protocol itself doesn't require the server to send the full chain, nor
can the client beg, trick, or force the server to do so, AFAIK.
Pete.
