During SSL communication, the server sends its certificate to the client for authentication.
Optionally, the client could send its certificate too, for client authentication.
My question is, does the server (or client) send the entire chain to the client (i.e. signing certificates) or only its own certificate?
I have noticed that usually only its own certificate is being sent but I was wondering if it is configurable or it does not make sense to send the entire chain to the other party.
Thanks
It is configurable.
Any cert that is already known by the peer does not need to be sent (with the caveat that each certificate in the certificate_list certificate must directly certify the one preceding it, except the first certificate which does not have a preceding cert)
It never makes sense to send the root, under the assumption that the peer must already possess it in order to validate it in any case. As to intermediate certs, it depends on your particular certificate chain.
To answer the part about the client, when the server asks for the client certificate it sends a list of CAs that it recognizes. The client only needs to send its cert chain up to one of those recognized CAs.