[openssl-users] client ignoring alert
Dustin Albright
dustin.albright04 at gmail.com
Tue Oct 9 22:11:58 UTC 2018
trying to get it open
On Tue, Oct 9, 2018, 6:08 PM Dustin Albright <dustin.albright04 at gmail.com>
wrote:
> I don't want to I don't know how to do this
>
> On Tue, Oct 9, 2018, 6:06 PM Dustin Albright <dustin.albright04 at gmail.com>
> wrote:
>
>> No had to bring in grocery sorry about that
>>
>> On Tue, Oct 9, 2018, 5:45 PM Jeremy Harris <jgh at wizmail.org> wrote:
>>
>>> Hi,
>>>
>>> OpenSSL version 1.1.1 FIPS, on Fedora 29
>>>
>>> (on both client and server)
>>>
>>>
>>> I'm seeing a client not receiving, or ignoring, what
>>> should be a fatal alert from the server during handshake.
>>>
>>> The server is requiring a client-certificate, via:
>>>
>>> SSL_CTX_set_verify(sctx,
>>> SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ...)
>>> ...
>>> server_ssl = SSL_new(server_ctx)
>>> ...
>>> SSL_accept(server_ssl)
>>>
>>> ... and the client is not supplying one. This is a deliberate
>>> testcase. The server debug output goes:
>>> ==============
>>> 21:31:54 8729 SMTP>> 220 TLS go ahead
>>> 21:31:54 8729 Calling SSL_accept
>>> 21:31:54 8729 SSL info: before SSL initialization
>>> 21:31:54 8729 SSL info: before SSL initialization
>>> 21:31:54 8729 SSL info: before SSL initialization
>>> 21:31:54 8729 SSL info: SSLv3/TLS read client hello
>>> 21:31:54 8729 SSL info: SSLv3/TLS write server hello
>>> 21:31:54 8729 SSL info: SSLv3/TLS write change cipher spec
>>> 21:31:54 8729 SSL info: TLSv1.3 write encrypted extensions
>>> 21:31:54 8729 SSL info: SSLv3/TLS write certificate request
>>> 21:31:54 8729 SSL info: SSLv3/TLS write certificate
>>> 21:31:54 8729 SSL info: TLSv1.3 write server certificate verify
>>> 21:31:54 8729 SSL info: SSLv3/TLS write finished
>>> 21:31:54 8729 SSL info: TLSv1.3 early data
>>> 21:31:54 8729 SSL info: TLSv1.3 early data
>>> 21:31:54 8729 SSL info: error
>>> 21:31:54 8729 SSL info: error
>>> 21:31:54 8729 LOG: MAIN
>>> 21:31:54 8729 TLS error on connection from (rhu.barb)
>>> [192.168.122.94] (SSL_accept): error:1417C0C7:SSL
>>> routines:tls_process_client_certificate:peer did not return a certificate
>>> ===================
>>> So far so good. The client however sees:
>>> ===================
>>> <<< 220 TLS go ahead
>>> Attempting to start TLS
>>> SSL info: before SSL initialization
>>> SSL info: before SSL initialization
>>> SSL info: SSLv3/TLS write client hello
>>> SSL info: SSLv3/TLS write client hello
>>> SSL info: SSLv3/TLS read server hello
>>> SSL info: TLSv1.3 read encrypted extensions
>>> SSL info: SSLv3/TLS read server certificate request
>>> SSL info: SSLv3/TLS read server certificate
>>> SSL info: TLSv1.3 read server certificate verify
>>> SSL info: SSLv3/TLS read finished
>>> SSL info: SSLv3/TLS write change cipher spec
>>> SSL info: SSLv3/TLS write client certificate
>>> SSL info: SSLv3/TLS write finished
>>> SSL info: SSL negotiation finished successfully
>>> SSL info: SSL negotiation finished successfully
>>> SSL connection using TLS_AES_256_GCM_SHA384
>>> =================
>>>
>>> The code running up to that last line indicates that
>>> SSL_connect() returned without error:
>>> ----
>>> rc = SSL_connect (*ssl);
>>> alarm(0);
>>>
>>> if (sigalrm_seen)
>>> {
>>> printf("SSL_connect timed out\n");
>>> return 0;
>>> }
>>>
>>> if (rc <= 0)
>>> {
>>> ERR_print_errors_fp(stdout);
>>> return 0;
>>> }
>>>
>>> printf("SSL connection using %s\n", SSL_get_cipher (*ssl));
>>> ----
>>>
>>>
>>> What am I doing wrong?
>>> --
>>> Thanks,
>>> Jeremy
>>> --
>>> openssl-users mailing list
>>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20181009/b350d4da/attachment-0001.html>
More information about the openssl-users
mailing list