Basically what the above says, assuming the eavesdropper must be completely passive, and cannot connect to the server to check if the server requires a client certificate.
Asked
Active
Viewed 653 times
2 Answers
7
Yes, the client certificate is sent in the clear if the server sent a certificate request.
Some servers (IIRC, Microsoft IIS) first perform handshake with no user authentication and then start a renegotiation asking for client certificate. The renegotiation is thus encrypted using the cipher suite negotiated in step 1 and the client certificate is encrypted on the wire.
If in doubt, use wireshark.
Z.T.
- 7,963
- 1
- 22
- 36