<div dir="ltr">Hello Vladimir,<div><br></div><div>It's worth trying to reproduce the situation using openssl s_client/s_server command-line apps. </div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Feb 7, 2020 at 9:25 PM Bashin, Vladimir <<a href="mailto:vbashin@empirix.com">vbashin@empirix.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="EN-US">
<div class="gmail-m_2449539613917354174WordSection1">
<p class="MsoNormal">Hello, OpenSSL experts !<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">We need your help in better understanding a below behavior -
<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">We are experiencing issue during the initial TLS handshake :<u></u><u></u></p>
<p class="MsoNormal">We have the customer-issued TLS certificate that we deploy on our TLS client system
<u></u><u></u></p>
<p class="MsoNormal">The certs have been generated with a CSR that was generated on customer’s FIPS compliant server
<u></u><u></u></p>
<p class="MsoNormal">The CSR was then signed by CA hosted on SMGR <u></u><u></u></p>
<p class="MsoNormal"><span style="color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal">During the endpoint registration with the server we have an endpoint initiated TLS handshake – during that handshake the TLS server requests the client Certificate but our TLS client responds with the Certificates Length 0 that causes the
TLS server to respond with the Handshake Failure.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">The Google search gives some generic ideas on why that might be happening – something along the following lines - that could be happening in case the client’s certificate does not match the server certificate – for example, due to a signing
authority mismatch, or due to the encryption cipher type mismatch, or maybe due to some other factors.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Could you please help us in better understanding this issue – what else could be wrong or missing in the Server and Client certificates ?<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><img width="1181" height="735" style="width: 12.302in; height: 7.6562in;" id="gmail-m_2449539613917354174Picture_x0020_1" src="cid:17021418b474cff311"><u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Thanks,<u></u><u></u></p>
<p class="MsoNormal">Vladimir Bashin<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature">SY, Dmitry Belyavsky</div>