client authentication status

Benjamin Kaduk bkaduk at akamai.com
Wed Sep 1 15:51:20 UTC 2021


On Wed, Sep 01, 2021 at 03:36:36PM +0000, Zeke Evans wrote:
> Hi,
> 
> Is there any way to check the status of client authentication sent in a TLS 1.3 handshake after SSL_connect returns?  With TLS 1.2 SSL_connect seems to always capture the status and return an error code if it failed but not TLS 1.3.  I haven't been able to find a good way to do this after SSL_connect returns.  I have to handle blocking and non-blocking sockets so calling SSL_read or SSL_peek isn't an option since those could block.  If client authentication happened to fail then calling those methods would work because they will return an error but if it didn't fail then they could block.

Note that the server is allowed to ignore a client cert that it doesn't like, proceeding with the connection as if the client was unauthenticated.  If you need a specific signal that the server believes the client successfully authenticated, that has to be at the application layer.

Did you try a zero-length SSL_read()?  My recollection is that that gets far enough into the library to see if there are pending alert messages to process.

-Ben


More information about the openssl-users mailing list