TLS 1.2 handshake issue (Server Certificate request)

Dmitry Belyavsky beldmit at gmail.com
Fri Feb 7 20:07:27 UTC 2020


Hello Vladimir,

It's worth trying to reproduce the situation using openssl
s_client/s_server command-line apps.

On Fri, Feb 7, 2020 at 9:25 PM Bashin, Vladimir <vbashin at empirix.com> wrote:

> Hello, OpenSSL experts !
>
>
>
> We need your help in better understanding a below behavior -
>
>
>
> We are experiencing issue during the initial TLS handshake :
>
> We have the customer-issued TLS certificate that we deploy on our TLS
> client system
>
> The certs  have been generated with a CSR that was generated on customer’s
>  FIPS compliant server
>
> The CSR was then signed by CA hosted on SMGR
>
>
>
> During the endpoint registration with the server we have an endpoint
> initiated TLS handshake – during that handshake the TLS server requests the
> client Certificate but our TLS client responds with the Certificates Length
> 0 that causes the TLS server to respond with the Handshake Failure.
>
>
>
>
>
> The Google search gives some generic ideas on why that might be happening
> – something along the following lines - that could be happening in case the
> client’s certificate does not match the server certificate – for example,
> due to a signing authority mismatch, or due to the encryption cipher type
> mismatch, or maybe due to some other factors.
>
>
>
> Could you please help us in better understanding this issue – what else
> could be wrong or missing in the Server and Client certificates ?
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Thanks,
>
> Vladimir Bashin
>
>
>


-- 
SY, Dmitry Belyavsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20200207/4ec26fbf/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 65573 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20200207/4ec26fbf/attachment-0001.png>


More information about the openssl-users mailing list