[openssl-users] client ignoring alert

Matt Caswell matt at openssl.org
Tue Oct 9 22:53:54 UTC 2018



On 09/10/18 22:27, Jeremy Harris wrote:
> Hi,
> 
> 	OpenSSL version 1.1.1 FIPS, on Fedora 29
> 
> (on both client and server)
> 
> 
> I'm seeing a client not receiving, or ignoring, what
> should be a fatal alert from the server during handshake.
> 
> The server is requiring a client-certificate, via:
> 
> SSL_CTX_set_verify(sctx,
>   SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ...)
> ...
> server_ssl = SSL_new(server_ctx)
> ...
> SSL_accept(server_ssl)
> 
> ... and the client is not supplying one.  This is a deliberate
> testcase.  The server debug output goes:
> ==============
> 21:31:54  8729 SMTP>> 220 TLS go ahead
> 21:31:54  8729 Calling SSL_accept
> 21:31:54  8729 SSL info: before SSL initialization
> 21:31:54  8729 SSL info: before SSL initialization
> 21:31:54  8729 SSL info: before SSL initialization
> 21:31:54  8729 SSL info: SSLv3/TLS read client hello
> 21:31:54  8729 SSL info: SSLv3/TLS write server hello
> 21:31:54  8729 SSL info: SSLv3/TLS write change cipher spec
> 21:31:54  8729 SSL info: TLSv1.3 write encrypted extensions
> 21:31:54  8729 SSL info: SSLv3/TLS write certificate request
> 21:31:54  8729 SSL info: SSLv3/TLS write certificate
> 21:31:54  8729 SSL info: TLSv1.3 write server certificate verify
> 21:31:54  8729 SSL info: SSLv3/TLS write finished
> 21:31:54  8729 SSL info: TLSv1.3 early data
> 21:31:54  8729 SSL info: TLSv1.3 early data
> 21:31:54  8729 SSL info: error
> 21:31:54  8729 SSL info: error
> 21:31:54  8729 LOG: MAIN
> 21:31:54  8729   TLS error on connection from (rhu.barb)
> [192.168.122.94] (SSL_accept): error:1417C0C7:SSL
> routines:tls_process_client_certificate:peer did not return a certificate
> ===================
> So far so good.  The client however sees:
> ===================
> <<< 220 TLS go ahead
> Attempting to start TLS
> SSL info: before SSL initialization
> SSL info: before SSL initialization
> SSL info: SSLv3/TLS write client hello
> SSL info: SSLv3/TLS write client hello
> SSL info: SSLv3/TLS read server hello
> SSL info: TLSv1.3 read encrypted extensions
> SSL info: SSLv3/TLS read server certificate request
> SSL info: SSLv3/TLS read server certificate
> SSL info: TLSv1.3 read server certificate verify
> SSL info: SSLv3/TLS read finished
> SSL info: SSLv3/TLS write change cipher spec
> SSL info: SSLv3/TLS write client certificate
> SSL info: SSLv3/TLS write finished
> SSL info: SSL negotiation finished successfully
> SSL info: SSL negotiation finished successfully
> SSL connection using TLS_AES_256_GCM_SHA384
> =================
> 
> The code running up to that last line indicates that
> SSL_connect() returned without error:
> ----
> rc = SSL_connect (*ssl);
> alarm(0);
> 
> if (sigalrm_seen)
>   {
>   printf("SSL_connect timed out\n");
>   return 0;
>   }
> 
> if (rc <= 0)
>   {
>   ERR_print_errors_fp(stdout);
>   return 0;
>   }
> 
> printf("SSL connection using %s\n", SSL_get_cipher (*ssl));
> ----
> 
> 
> What am I doing wrong?
> 

Nothing. This is expected behaviour. The messages in this TLSv1.3
handshake are:

Client                 Server
------                 ------

ClientHello
                       ServerHello
                       EncryptedExtensions
                       CertificateRequest
                       Certificate
                       CertificateVerify
                       Finished
Certificate(empty)
Finished
                       Alert

Note that it is the client that sends the last flight of messages in the
handshake, and the (empty) Certificate message is part of that flight.
As far as the client is concerned it has sent all the messages it needs
to, to the complete the handshake. Therefore SSL_connect() completes
successfully. On the server side the handshake won't be complete until
it sees the client Finished - but before it gets that far it notices the
missing Certificate and sends the alert. From a client perspective this
will appear as if the handshake successfully completed but then the
server immediately aborts with a fatal alert.

Matt


More information about the openssl-users mailing list