How to reject a certificate with access_denied?

Michael Richardson mcr at sandelman.ca
Tue Jun 7 12:46:05 UTC 2022


Matt Caswell <matt at openssl.org> wrote:
    > On 06/06/2022 18:08, Christian Schmidt wrote:
    >> Hi,
    >> I am building a server application that allows a user to log in by
    >> providing a certificate. In order to do custom checks, I have added a
    >> verify callback to my code to check the certificate on top of its
    >> cryptographic features (CA Valid, etc).
    >> If the certificate does not pass my extended checks, I would like to
    >> return the access_denied alert as per RFC8446 section 6.2:
    >> access_denied:  A valid certificate or PSK was received, but when
    >> access control was applied, the sender decided not to proceed with
    >> negotiation.
    >> However, I can't find a way to generate this alert in openssl, although
    >> openssl can handle receiving it.
    >> How do I make a callback return a non-defined (as in not defined in the
    >> headers) alert?

    > This is not currently possible.

    > OpenSSL has an internal table which maps verify errors to TLS alerts:

    > https://github.com/openssl/openssl/blob/9f3626f2473bdce53e85eba96e502e950e29e16f/ssl/statem/statem_lib.c#L1350-L1394

    > Unfortunately there are no entries in this table that map to the
    > access_denied alert.

Would extensions to this list be welcome?
Should Christian send a PR?




More information about the openssl-users mailing list