[openssl-users] client ignoring alert
Dustin Albright
dustin.albright04 at gmail.com
Tue Oct 9 22:06:13 UTC 2018
No had to bring in grocery sorry about that
On Tue, Oct 9, 2018, 5:45 PM Jeremy Harris <jgh at wizmail.org> wrote:
> Hi,
>
> OpenSSL version 1.1.1 FIPS, on Fedora 29
>
> (on both client and server)
>
>
> I'm seeing a client not receiving, or ignoring, what
> should be a fatal alert from the server during handshake.
>
> The server is requiring a client-certificate, via:
>
> SSL_CTX_set_verify(sctx,
> SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ...)
> ...
> server_ssl = SSL_new(server_ctx)
> ...
> SSL_accept(server_ssl)
>
> ... and the client is not supplying one. This is a deliberate
> testcase. The server debug output goes:
> ==============
> 21:31:54 8729 SMTP>> 220 TLS go ahead
> 21:31:54 8729 Calling SSL_accept
> 21:31:54 8729 SSL info: before SSL initialization
> 21:31:54 8729 SSL info: before SSL initialization
> 21:31:54 8729 SSL info: before SSL initialization
> 21:31:54 8729 SSL info: SSLv3/TLS read client hello
> 21:31:54 8729 SSL info: SSLv3/TLS write server hello
> 21:31:54 8729 SSL info: SSLv3/TLS write change cipher spec
> 21:31:54 8729 SSL info: TLSv1.3 write encrypted extensions
> 21:31:54 8729 SSL info: SSLv3/TLS write certificate request
> 21:31:54 8729 SSL info: SSLv3/TLS write certificate
> 21:31:54 8729 SSL info: TLSv1.3 write server certificate verify
> 21:31:54 8729 SSL info: SSLv3/TLS write finished
> 21:31:54 8729 SSL info: TLSv1.3 early data
> 21:31:54 8729 SSL info: TLSv1.3 early data
> 21:31:54 8729 SSL info: error
> 21:31:54 8729 SSL info: error
> 21:31:54 8729 LOG: MAIN
> 21:31:54 8729 TLS error on connection from (rhu.barb)
> [192.168.122.94] (SSL_accept): error:1417C0C7:SSL
> routines:tls_process_client_certificate:peer did not return a certificate
> ===================
> So far so good. The client however sees:
> ===================
> <<< 220 TLS go ahead
> Attempting to start TLS
> SSL info: before SSL initialization
> SSL info: before SSL initialization
> SSL info: SSLv3/TLS write client hello
> SSL info: SSLv3/TLS write client hello
> SSL info: SSLv3/TLS read server hello
> SSL info: TLSv1.3 read encrypted extensions
> SSL info: SSLv3/TLS read server certificate request
> SSL info: SSLv3/TLS read server certificate
> SSL info: TLSv1.3 read server certificate verify
> SSL info: SSLv3/TLS read finished
> SSL info: SSLv3/TLS write change cipher spec
> SSL info: SSLv3/TLS write client certificate
> SSL info: SSLv3/TLS write finished
> SSL info: SSL negotiation finished successfully
> SSL info: SSL negotiation finished successfully
> SSL connection using TLS_AES_256_GCM_SHA384
> =================
>
> The code running up to that last line indicates that
> SSL_connect() returned without error:
> ----
> rc = SSL_connect (*ssl);
> alarm(0);
>
> if (sigalrm_seen)
> {
> printf("SSL_connect timed out\n");
> return 0;
> }
>
> if (rc <= 0)
> {
> ERR_print_errors_fp(stdout);
> return 0;
> }
>
> printf("SSL connection using %s\n", SSL_get_cipher (*ssl));
> ----
>
>
> What am I doing wrong?
> --
> Thanks,
> Jeremy
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20181009/992e6674/attachment.html>
More information about the openssl-users
mailing list