How to debug a TLSv1.3 protocol problem?

[Jan Just Keijser]

Hi Claus,

On 18/05/20 20:59, Claus Assmann wrote:
> On Mon, May 18, 2020, Alexander Gryanko wrote:
>
> [thanks for the hints, I will try that ASAP]
>
>> But first of all, check your cert type. Looks like you are using non-RSA
>> cert which is not supported by S8.
> As I wrote: it works fine if I don't use TLSv1.3 or if I use openssl
> s_client with TLSv1.3 (it is an RSA cert and I also tested against
> another S8 server which uses a Let's Encrypt cert).
FWIW:  adding TLS 1.3 support to my EAP-TLS code got me stumped for a 
while as well. I eventually added up the following snippet:

     /* Set up a SSL Session cache with a callback. This is needed for 
TLSv1.3+.
      * During the initial handshake the server signals to the client 
early on
      * that the handshake is finished, even before the client has sent its
      * credentials to the server. The actual connection (and moment 
that the
      * client sends its credentials) only starts after the arrival of 
the first
      * session ticket. The 'ssl_new_session_cb' catches this ticket.
      */
     SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT | 
SSL_SESS_CACHE_NO_INTERNAL_STORE);
     SSL_CTX_sess_set_new_cb(ctx, ssl_new_session_cb);



with

int ssl_new_session_cb(SSL *s, SSL_SESSION *sess)
{
     dbglog("EAP-TLS: Post-Handshake New Session Ticket arrived:");

     /* always return success */
     return 1;
}


This callback is necessary as otherwise the client thinks the session 
handshake is done too soon (and in my case, it does not bother to send 
any client-side certificate info to the server).

Perhaps you are seeing something similar? If not, then sorry for the noise.

HTH,

JJK / Jan Just Keijser