[openssl-dev] How to do reneg with client certs in 1.1.0 API
Matt Caswell
matt at openssl.org
Mon Feb 8 12:36:39 UTC 2016
On 08/02/16 12:34, Matt Caswell wrote:
>
>
> On 08/02/16 12:11, Rainer Jung wrote:
>> I'm adding support for OpenSSL 1.1.0 to the Apache web server.
>>
>> I struggle to migrate the renegotiation code in the case wehere we want
>> the client to send a client cert. The current code works like explained in
>>
>> http://www.linuxjournal.com/node/5487/print
>>
>> After using SSL_set_verify() it calls
>>
>> SSL_renegotiate(ssl);
>> SSL_do_handshake(ssl);
>> SSL_set_state(ssl, SSL_ST_ACCEPT);
>> SSL_do_handshake(ssl);
>>
>> for reasons given in the article.
>>
>> The new 1.1.0 API no longer allows to set the state using
>> SSL_set_state(). The old article states, that calling
>> SSL_set_accept_state() is not the right thing to do. Looking at
>> s_server.c doesn't give a hint what to do instead, because it looks like
>> it reads the client certs just raw from the socket.
>>
>> Any hint what would replace the above sequence or at least the
>> SSL_set_state(ssl, SSL_ST_ACCEPT)?
>>
>> Thanks a bunch and regards,
>
> Renegotiation isn't entirely within the control of the server. A server
> can request that a renegotiation takes place. It is up to the client
> whether it honours that request immediately; or perhaps its finishes off
> sending some application data before it gets around to honouring it; or
> perhaps it doesn't honour it at all.
>
>> SSL_renegotiate(ssl);
>> SSL_do_handshake(ssl);
>
> This sequence makes the server send the HelloVerifyRequest. It is then
I of course meant HelloRequest (I was looking at the DTLS code earlier
which sends a HelloVerifyRequest!!!)
Matt
More information about the openssl-dev
mailing list