[openssl-users] Renegotiation with Client Certs failure
Adam Grossman
adamtg at devitron.com
Tue Aug 1 17:57:38 UTC 2017
Hello,
I inherited the code for web-server like server that i need to
maintain. It is setup that when you request a certain URL, the server
will renegotiate and request a client certificate. They said it worked
when they use OpenSSL 0.9.8, but we are seeing issues with 1.0.2l. When
it does the renegotiation, the second SSL_handshake fails with
"SSL_ERROR_SYSCALL" and ERR_get_error() returns 0. But if i reload the
page, it gets the client certificate and everything works and every
subsequent request for that URL works. But if i clear the cache and
connect again, i get the same error.
Any help or pointers on how to further debug this would be greatly
appreciated.
This is the relevant code:
SSL_set_verify(ssl, SSL_VERIFY_PEER |SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
verify_callback);
ssl_data->reneg_state = RENEG_ALLOW;
r=SSL_renegotiate(ssl);
if (r<=0)
{ // return error }
r=SSL_do_handshake(ssl);
if (r<=0)
{ // return error }
ssl->state=SSL_ST_ACCEPT;
do {
ERR_clear_error();
r=SSL_do_handshake(ssl); // this is where it fails
if (r<=0) {
e=SSL_get_error(ssl,r);
int errR = ERR_get_error();
// printf("Error Level 1: e=%d r=%d errR=%d
errno=%d\n",e,r,errR, errno);
}
}
while ((r !=1) && ((e == SSL_ERROR_WANT_READ) || (e ==
SSL_ERROR_WANT_WRITE)));
thank you very much,
adamtg
More information about the openssl-users
mailing list