The client won't send a certificate unless the server asks for it with a Certificate Request
message (see the standard, section 7.4.4). If the server does not ask for a certificate, the sending of a Certificate
and a CertificateVerify
message from the client is likely to imply an immediate termination from the server (with an unexpected_message
alert). The wording of the standard is not overly clear on that subject, but it still includes this paragraph in section 7.4:
The handshake protocol messages are presented below in the order they
MUST be sent; sending handshake messages in an unexpected order
results in a fatal error. Unneeded handshake messages can be
omitted, however. Note one exception to the ordering: the
Certificate message is used twice in the handshake (from server to
client, then from client to server), but described only in its first
position. The one message that is not bound by these ordering rules
is the HelloRequest message, which can be sent at any time, but which
SHOULD be ignored by the client if it arrives in the middle of a
handshake.
This rather strongly suggests that an unexpected Certificate
message from the client will not be ignored, and instead will "result in a fatal error".
Now you could imagine an active modification by an Man-in-the-Middle entity, who injects an extra Certificate Request
message in the flow from the server, and blocks the Certificate
and Certificate Verify
from the client. This is possible, since the initial handshake is performed, out of necessity, with unprotected records.
However, this will make the handshake fail when the Finished
messages are exchanged. These messages are protected (they occur after the switch to the newly negotiated security parameters). The contents of the Finished
messages are a hash of all handshake messages sent so far. Since the client and the server did not see the same messages (from the point of view of the client, there were extra Certificate Request
, Certificate
and Certificate Verify
messages), the hash values won't match, and the client and server will drop the connection.
So not only it is unclear what an attacker would gain by forcing a client authentication that the server did not ask for, but it will also not work at all because of the way the Finished
messages are computed.