[openssl-dev] How to do reneg with client certs in 1.1.0 API
Matt Caswell
matt at openssl.org
Mon Feb 8 14:49:07 UTC 2016
On 08/02/16 14:36, Viktor Dukhovni wrote:
>
>> On Feb 8, 2016, at 9:26 AM, Matt Caswell <matt at openssl.org> wrote:
>>
>> SSL_renegotiate(ssl);
>> SSL_do_handshake(ssl);
>> do {
>> read_some_app_data();
>> if(no_client_cert_yet()) {
>> discard_app_data();
>> }
>> } while(no_client_cert_yet());
>
> At what point in the handshake would a query for client
> certificates show their presence? Is it always strictly
> after the new "finished" message? An additional check for
> the completion of the handshake may be appropriate.
>
Actually, yes that is a good point. There could be some subtle security
issues there. You probably need to additionally check that you are not
halfway through a handshake:
SSL_renegotiate(ssl);
SSL_do_handshake(ssl);
do {
read_some_app_data();
if(no_client_cert_yet() || SSL_in_init(ssl)) {
discard_app_data();
}
} while(no_client_cert_yet() || SSL_in_init(ssl));
Matt
More information about the openssl-dev
mailing list