[openssl-users] client ignoring alert

Tue Oct 9 22:24:19 UTC 2018

I'm trying to get on a open ss user I'm on a phone

On Tue, Oct 9, 2018, 6:11 PM Dustin Albright <dustin.albright04 at gmail.com>
wrote:

> trying to get it open
>
> On Tue, Oct 9, 2018, 6:08 PM Dustin Albright <dustin.albright04 at gmail.com>
> wrote:
>
>> I don't want to I don't know how to do this
>>
>> On Tue, Oct 9, 2018, 6:06 PM Dustin Albright <dustin.albright04 at gmail.com>
>> wrote:
>>
>>> No had to bring in grocery  sorry about that
>>>
>>> On Tue, Oct 9, 2018, 5:45 PM Jeremy Harris <jgh at wizmail.org> wrote:
>>>
>>>> Hi,
>>>>
>>>>         OpenSSL version 1.1.1 FIPS, on Fedora 29
>>>>
>>>> (on both client and server)
>>>>
>>>>
>>>> I'm seeing a client not receiving, or ignoring, what
>>>> should be a fatal alert from the server during handshake.
>>>>
>>>> The server is requiring a client-certificate, via:
>>>>
>>>> SSL_CTX_set_verify(sctx,
>>>>   SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ...)
>>>> ...
>>>> server_ssl = SSL_new(server_ctx)
>>>> ...
>>>> SSL_accept(server_ssl)
>>>>
>>>> ... and the client is not supplying one.  This is a deliberate
>>>> testcase.  The server debug output goes:
>>>> ==============
>>>> 21:31:54  8729 SMTP>> 220 TLS go ahead
>>>> 21:31:54  8729 Calling SSL_accept
>>>> 21:31:54  8729 SSL info: before SSL initialization
>>>> 21:31:54  8729 SSL info: before SSL initialization
>>>> 21:31:54  8729 SSL info: before SSL initialization
>>>> 21:31:54  8729 SSL info: SSLv3/TLS read client hello
>>>> 21:31:54  8729 SSL info: SSLv3/TLS write server hello
>>>> 21:31:54  8729 SSL info: SSLv3/TLS write change cipher spec
>>>> 21:31:54  8729 SSL info: TLSv1.3 write encrypted extensions
>>>> 21:31:54  8729 SSL info: SSLv3/TLS write certificate request
>>>> 21:31:54  8729 SSL info: SSLv3/TLS write certificate
>>>> 21:31:54  8729 SSL info: TLSv1.3 write server certificate verify
>>>> 21:31:54  8729 SSL info: SSLv3/TLS write finished
>>>> 21:31:54  8729 SSL info: TLSv1.3 early data
>>>> 21:31:54  8729 SSL info: TLSv1.3 early data
>>>> 21:31:54  8729 SSL info: error
>>>> 21:31:54  8729 SSL info: error
>>>> 21:31:54  8729 LOG: MAIN
>>>> 21:31:54  8729   TLS error on connection from (rhu.barb)
>>>> [192.168.122.94] (SSL_accept): error:1417C0C7:SSL
>>>> routines:tls_process_client_certificate:peer did not return a
>>>> certificate
>>>> ===================
>>>> So far so good.  The client however sees:
>>>> ===================
>>>> <<< 220 TLS go ahead
>>>> Attempting to start TLS
>>>> SSL info: before SSL initialization
>>>> SSL info: before SSL initialization
>>>> SSL info: SSLv3/TLS write client hello
>>>> SSL info: SSLv3/TLS write client hello
>>>> SSL info: SSLv3/TLS read server hello
>>>> SSL info: TLSv1.3 read encrypted extensions
>>>> SSL info: SSLv3/TLS read server certificate request
>>>> SSL info: SSLv3/TLS read server certificate
>>>> SSL info: TLSv1.3 read server certificate verify
>>>> SSL info: SSLv3/TLS read finished
>>>> SSL info: SSLv3/TLS write change cipher spec
>>>> SSL info: SSLv3/TLS write client certificate
>>>> SSL info: SSLv3/TLS write finished
>>>> SSL info: SSL negotiation finished successfully
>>>> SSL info: SSL negotiation finished successfully
>>>> SSL connection using TLS_AES_256_GCM_SHA384
>>>> =================
>>>>
>>>> The code running up to that last line indicates that
>>>> SSL_connect() returned without error:
>>>> ----
>>>> rc = SSL_connect (*ssl);
>>>> alarm(0);
>>>>
>>>> if (sigalrm_seen)
>>>>   {
>>>>   printf("SSL_connect timed out\n");
>>>>   return 0;
>>>>   }
>>>>
>>>> if (rc <= 0)
>>>>   {
>>>>   ERR_print_errors_fp(stdout);
>>>>   return 0;
>>>>   }
>>>>
>>>> printf("SSL connection using %s\n", SSL_get_cipher (*ssl));
>>>> ----
>>>>
>>>>
>>>> What am I doing wrong?
>>>> --
>>>> Thanks,
>>>>   Jeremy
>>>> --
>>>> openssl-users mailing list
>>>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20181009/c41cb1c7/attachment.html>