The SSL subsystem in Windows has a limitation as to the maximum size of the Trusted Issuers list the server sends to the client during the client certificate authentication process. This causes the list to be truncated, and if the issuer of your client certificate is not listed, causes the authentication to fail with the following message
HTTP/1.1 403 ForbiddenThis will be accompanied by an entry with Event ID 36885 in the Windows System Eventlog
Content-Length: 0
Server: Microsoft-HTTPAPI/2.0
Date: Fri, 04 Apr 2014 10:00:13 GMT
When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.
There are two approaches to fix this:
- remove certificates from the list of Trusted Issuers (not always easy or safe, you might delete certificates required by the operating system or other installed software), or
- create a registry setting that will cause the SSL subsystem to no longer send the list of Trusted Issuers to the client
I personally prefer the 2nd option, as there is less chance of disaster IMHO.
MS article: http://support.microsoft.com/kb/2464556
0 Responses to "SSL connection issues when using client certificate authentication":
Post a Comment