issue with 1.1.1n

Viktor Dukhovni openssl-users at dukhovni.org
Tue Nov 1 15:42:23 UTC 2022


On Tue, Nov 01, 2022 at 05:55:08AM -0500, Ray Crumrine wrote:

> SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336151573> <SSL 
> routines-ssl3_read_bytes-sslv3 alert certificate expired>

Is this logged by the TLS client or server?  In other words are you
running a client application making outgoing connections or a server
application receiving incoming connections?

> but not all of the time. Only when I try to access
> us-east-va.sip.flowroute using tlsv1.2.

This sounds like "client".  TLS alerts are sent by the other end of the
connection, so if you're getting "certificate expired" alerts from a
server, that means that your client is *sending* an expired certificate
to the server (which must have solicited, possibly optional, client
certificates).  The server in question does send certificate requests:

    Transport Layer Security
        TLSv1.2 Record Layer: Handshake Protocol: Certificate Request (fragment)
            Content Type: Handshake (22)
            Version: TLS 1.2 (0x0303)
            Length: 16384
            Handshake Protocol: Certificate Request (fragment)
    ...

> I have tried two other sites using the same configuration and they work 
> fine. Is there a simple configuration change or do I need Openssl v3.0?

The other sites presumably don't solicit client certificates.  The
simplest choice is to not configure a client certificate unless you're
sure you're going to need one.

> Checking with 
> https://decoder.link/sslchecker/us-east-va.sip.flowroute.com/5061 
> everything checks fine???

The probe does not send expired client certs.

-- 
    Viktor.


More information about the openssl-users mailing list