How to reject a certificate with access_denied?
Matt Caswell
matt at openssl.org
Tue Jun 7 10:29:30 UTC 2022
On 06/06/2022 18:08, Christian Schmidt wrote:
> Hi,
>
> I am building a server application that allows a user to log in by
> providing a certificate. In order to do custom checks, I have added a
> verify callback to my code to check the certificate on top of its
> cryptographic features (CA Valid, etc).
>
> If the certificate does not pass my extended checks, I would like to
> return the access_denied alert as per RFC8446 section 6.2:
>
> access_denied: A valid certificate or PSK was received, but when
> access control was applied, the sender decided not to proceed with
> negotiation.
>
> However, I can't find a way to generate this alert in openssl, although
> openssl can handle receiving it.
>
> How do I make a callback return a non-defined (as in not defined in the
> headers) alert?
This is not currently possible.
OpenSSL has an internal table which maps verify errors to TLS alerts:
https://github.com/openssl/openssl/blob/9f3626f2473bdce53e85eba96e502e950e29e16f/ssl/statem/statem_lib.c#L1350-L1394
Unfortunately there are no entries in this table that map to the
access_denied alert.
Matt
More information about the openssl-users
mailing list