5
$\begingroup$

I have read TLS v1.3 RFC and haven't quite understood - does server certificate chain, that is sent to the client, MUST contain intermediate certificate or it is not a strict requirement (e.g. SHOULD or MAY)? I haven't found a reference for this question in the RFC.

The only info about that in RFC I found is:

The sender's certificate MUST come in the first CertificateEntry in the list. Each following certificate SHOULD directly certify the one immediately preceding it.

But SHOULD is not MUST!

Improve this question
$\endgroup$

3 Answers 3

Reset to default
6
$\begingroup$

This is an interesting question, and the true answer to the question if they should be included at all is not really present in TLS. The simple truth is that the Certification Path Validation is not detailed in the TLS RFC, it relies upon the generic X.509v3 RFC's (link to RFC 5280, section 6).

There is a bit of information in the TLS specification about the presence of certificates and some information about the order of the certificates; this information is discussed in the final two sections of the answer.

Certification path validation in practice

In general, the idea of intermediate certificates is to establish a (trust) path. This trust path is build upon the knowledge of the client to which certificates is used as a trust anchor at the client. The trust anchor is usually the root certificate, but it may not be.

For instance, you could have a commercial CA create and sign an intermediate certificate that is used for a particular purpose and within a specific organization, for instance in machine-to-machine certification. In that case you would not trust the root certificate as that would mean you would trust any certificate created by the commercial CA. Instead you'd trust the CA specifically created for you. In that case this certificate would of course not need to be included in the trust path, as the trust anchor needs to be present anyway. It may also be the case that the server has stored some intermediate certificates used by known clients so that they don't need to be sent to build up the trust path.

In general servers should however always send all the certificates up to but excluding the trust anchor in order to the server. Just as TLS 1.2 clients would sometimes deviate from this paradigm (see the final section of this answer) it can be expected that some TLS 1.3 clients will deviate and expect the certificates in order, even if TLS 1.3 specifies that they can be in any order.

One common mistake of servers is to configure just the server certificate, test the connection with a previously used client (often the browser used by the technician), and then call success if the connection is successfully established. This reasoning is incorrect as clients often cache intermediate certificates. They could even store intermediate certs as trust anchors for different servers. In that case a trust path is successfully established even though the intermediate certificates are not present. Other clients will however not be able to build up the trust path, leading to failure to authenticate the server. Even the client that did create the full trust path may empty the cache or reconfigure their trust store, leading to the same failure to authenticate the server.

In principle, TLS only requires that the server certificate be present. That, however, assumes that the client has access to the intermediate certificates; otherwise, trust path construction, and therefore authentication, fails. By far the most common situation is that all the certificates are sent in reverse order, starting with the leaf certificate, thus including all CA certificates except the root. If the root is included, it will simply be ignored by the client, as it or the information contained in it should already be present. A pinned self signed certificate could be a possible exception as it is both a leaf and root certificate in one.

Note that I used "trust path" rather than the official "certification path" as we now use the certificates to build up a path for verification, to establish trust in the the intermediate and leaf certificates.

Inclusion of intermediate certificates in TLS 1.3

Here is a little piece of information to indicate that any supporting certificates should be sent. "Supporting" in this case should be read as any certificate required to build the trust path.

Certificate: The certificate to be used for authentication, and any supporting certificates [emphasis mine] in the chain.

Here's a hint that the trust anchors - again, usually the root certificates - should not be sent:

Certificates that are self-signed or certificates that are expected to be trust anchors are not validated as part of the chain and therefore MAY be signed with any algorithm.

Certification ordering in TLS 1.3

About the order, it seems that now any ordering of certificates within the certificate_list should be allowed. This will allow more flexible schemes, but it comes at the cost of embedded devices that may need to store the intermediate certificates to build a trust path to the anchor (usually a trusted root certificate) rather than to verify each one until the root is found.

Note that some decision making was always involved as there may be overlap between the certificates included in the chain and the ones in a certificate cache.

Note: Prior to TLS 1.3, "certificate_list" ordering required each certificate to certify the one immediately preceding it; however, some implementations allowed some flexibility. Servers sometimes send both a current and deprecated intermediate for transitional purposes, and others are simply configured incorrectly, but these cases can nonetheless be validated properly. For maximum compatibility, all implementations SHOULD be prepared to handle potentially extraneous certificates and arbitrary orderings from any TLS version, with the exception of the end-entity certificate which MUST be first.

As said before, I would strongly recommend to send the certificate in order, i.e. first the leaf server certificate (required) and then the certificate chain leading up to but not including the trust anchor / root certificate.

Improve this answer
$\endgroup$
3
$\begingroup$

In the previous version (i.e. TLS 1.2), the wording was MUST, so the change can't be unintentional. My wild guess for this is that, it allows for saving communication bandwidth.

Many schemes have large cipher transcripts. If say the server has a ML-DSA public key, it may be signed by a CA using some MQ scheme such as UOV, resulting in a smaller certificate file, HOWEVER, UOV has a large public key, so omitting it can result in a considerable saving.

Improve this answer
$\endgroup$
4
  • $\begingroup$ Even ML-DSA public keys and signatures are pretty large (not UOV public key sized, but still), and so being able to omit some of them is a significant savings $\endgroup$ Commented yesterday
  • $\begingroup$ @poncho am I correct then saying that intermediate certs may be omitted from the server's TLS v1.3 certificate set in the handshake response to the client? $\endgroup$ Commented yesterday
  • 1
    $\begingroup$ Permitted, yes. Recommended, only if you are absolutely certain all clients already have the intermediates. (This may be the case if you control all clients, e.g. an intranet site. It's usually otherwise not safe to assume.) $\endgroup$ Commented 23 hours ago
  • $\begingroup$ @Miral Also tricky when the certificates are out of date. In that case they need to be manually updated between the time they are issued and their starting date (which often is "now", so that's a thing). That or the server and client must agree on a smart caching system (new cert? send full chain! otherwise not necessary because stored, never seen this in practice though, so you can safely ignore). I.e. only do this if you truly experience bandwith issues. $\endgroup$ Commented 13 hours ago
3
$\begingroup$

In TLS 1.3, the server must send its own certificate first, but sending intermediate certificates is recommended (SHOULD), not strictly required. In practice, omitting intermediates often breaks validation on clients that don���t already have them, so it’s considered best practice to include the full chain up to a trusted root.

Reference: RFC 8446 §4.4.2

Improve this answer
New contributor
olena_kovalenko3 is a new contributor to this site. Take care in asking for clarification, commenting, and answering. Check out our Code of Conduct.
$\endgroup$
1
  • $\begingroup$ I read the RFC as strongly implying certificates that are not trust anchors must be provided. Per RFC 8446, p4.4.2 Certificate : "a certificate that specifies a trust anchor MAY be omitted from the chain, provided that supported peers are known to possess any omitted certificates" ONLY "trust anchors" may be omitted. Which strongly implies certificates that are not trust anchors MAY NOT be omitted, to use the RFC's own capitalization style. The RFC certainly could be worded better here. $\endgroup$ Commented 10 hours ago

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.