[openssl-users] Renegotiation with Client Certs failure

Adam Grossman adamtg at devitron.com
Tue Aug 1 17:57:38 UTC 2017


Hello,

I inherited the code for web-server like server that i need to 
maintain.  It is setup that when you request a certain URL, the server 
will renegotiate and request a client certificate.  They said it worked 
when they use OpenSSL 0.9.8, but we are seeing issues with 1.0.2l.  When 
it does the renegotiation, the second SSL_handshake fails with 
"SSL_ERROR_SYSCALL" and ERR_get_error() returns 0.  But if i reload the 
page, it gets the client certificate and everything works and every 
subsequent request for that URL works.  But if i clear the cache and 
connect again, i get the same error.

Any help or pointers on how to further debug this would be greatly 
appreciated.

This is the relevant code:

SSL_set_verify(ssl, SSL_VERIFY_PEER |SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 
verify_callback);
ssl_data->reneg_state = RENEG_ALLOW;
r=SSL_renegotiate(ssl);

if (r<=0)
     { // return error }

r=SSL_do_handshake(ssl);
if (r<=0)
     { // return error }

ssl->state=SSL_ST_ACCEPT;
do {
     ERR_clear_error();
     r=SSL_do_handshake(ssl);  // this is where it fails
     if (r<=0) {
         e=SSL_get_error(ssl,r);
         int errR = ERR_get_error();
         // printf("Error Level 1: e=%d r=%d errR=%d 
errno=%d\n",e,r,errR, errno);
     }
}
while ((r !=1)  &&  ((e == SSL_ERROR_WANT_READ) || (e == 
SSL_ERROR_WANT_WRITE)));


thank you very much,

adamtg




More information about the openssl-users mailing list