resumption problem

Jeremy Harris jgh at
Mon Mar 23 23:46:43 UTC 2020

OpenSSL 1.1.1  on Centos 8
Ticket-based resumption

I'm getting a repeatable error from a client call to SSL_connect()
of "14228044:SSL routines:construct_ca_names:internal error".

Packet capture shows an Alert being sent by the client before
anything is received from the server.

The error only occurs when the client is trying to resume
a previous session, and (here's the odd part) only when
the client is set up to offer a client certificate.

[I can change the client config to stop it offering this
client-cert, and the resumption works just fine]

I *think* possibly also the precise nature of that client cert
matters; a testcase I set up away from my production
system failed to induce the error.  The client cert
is loaded using SSL_CTX_use_certificate_chain_file();
the file contains a private-key and a 3-element chain
with a Lets Encrypt cert (leaf, signer, CA-root).
The CA is sha1/rsa, the other two are sha256/rsa.

The preceding TLS session is logged as using

Any ideas?

More information about the openssl-users mailing list