[openssl-users] client ignoring alert

Dustin Albright dustin.albright04 at gmail.com
Tue Oct 9 22:08:32 UTC 2018


I don't want to I don't know how to do this

On Tue, Oct 9, 2018, 6:06 PM Dustin Albright <dustin.albright04 at gmail.com>
wrote:

> No had to bring in grocery  sorry about that
>
> On Tue, Oct 9, 2018, 5:45 PM Jeremy Harris <jgh at wizmail.org> wrote:
>
>> Hi,
>>
>>         OpenSSL version 1.1.1 FIPS, on Fedora 29
>>
>> (on both client and server)
>>
>>
>> I'm seeing a client not receiving, or ignoring, what
>> should be a fatal alert from the server during handshake.
>>
>> The server is requiring a client-certificate, via:
>>
>> SSL_CTX_set_verify(sctx,
>>   SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ...)
>> ...
>> server_ssl = SSL_new(server_ctx)
>> ...
>> SSL_accept(server_ssl)
>>
>> ... and the client is not supplying one.  This is a deliberate
>> testcase.  The server debug output goes:
>> ==============
>> 21:31:54  8729 SMTP>> 220 TLS go ahead
>> 21:31:54  8729 Calling SSL_accept
>> 21:31:54  8729 SSL info: before SSL initialization
>> 21:31:54  8729 SSL info: before SSL initialization
>> 21:31:54  8729 SSL info: before SSL initialization
>> 21:31:54  8729 SSL info: SSLv3/TLS read client hello
>> 21:31:54  8729 SSL info: SSLv3/TLS write server hello
>> 21:31:54  8729 SSL info: SSLv3/TLS write change cipher spec
>> 21:31:54  8729 SSL info: TLSv1.3 write encrypted extensions
>> 21:31:54  8729 SSL info: SSLv3/TLS write certificate request
>> 21:31:54  8729 SSL info: SSLv3/TLS write certificate
>> 21:31:54  8729 SSL info: TLSv1.3 write server certificate verify
>> 21:31:54  8729 SSL info: SSLv3/TLS write finished
>> 21:31:54  8729 SSL info: TLSv1.3 early data
>> 21:31:54  8729 SSL info: TLSv1.3 early data
>> 21:31:54  8729 SSL info: error
>> 21:31:54  8729 SSL info: error
>> 21:31:54  8729 LOG: MAIN
>> 21:31:54  8729   TLS error on connection from (rhu.barb)
>> [192.168.122.94] (SSL_accept): error:1417C0C7:SSL
>> routines:tls_process_client_certificate:peer did not return a certificate
>> ===================
>> So far so good.  The client however sees:
>> ===================
>> <<< 220 TLS go ahead
>> Attempting to start TLS
>> SSL info: before SSL initialization
>> SSL info: before SSL initialization
>> SSL info: SSLv3/TLS write client hello
>> SSL info: SSLv3/TLS write client hello
>> SSL info: SSLv3/TLS read server hello
>> SSL info: TLSv1.3 read encrypted extensions
>> SSL info: SSLv3/TLS read server certificate request
>> SSL info: SSLv3/TLS read server certificate
>> SSL info: TLSv1.3 read server certificate verify
>> SSL info: SSLv3/TLS read finished
>> SSL info: SSLv3/TLS write change cipher spec
>> SSL info: SSLv3/TLS write client certificate
>> SSL info: SSLv3/TLS write finished
>> SSL info: SSL negotiation finished successfully
>> SSL info: SSL negotiation finished successfully
>> SSL connection using TLS_AES_256_GCM_SHA384
>> =================
>>
>> The code running up to that last line indicates that
>> SSL_connect() returned without error:
>> ----
>> rc = SSL_connect (*ssl);
>> alarm(0);
>>
>> if (sigalrm_seen)
>>   {
>>   printf("SSL_connect timed out\n");
>>   return 0;
>>   }
>>
>> if (rc <= 0)
>>   {
>>   ERR_print_errors_fp(stdout);
>>   return 0;
>>   }
>>
>> printf("SSL connection using %s\n", SSL_get_cipher (*ssl));
>> ----
>>
>>
>> What am I doing wrong?
>> --
>> Thanks,
>>   Jeremy
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20181009/6f3a5e03/attachment.html>


More information about the openssl-users mailing list