How to debug a TLSv1.3 protocol problem?
Jan Just Keijser
janjust at nikhef.nl
Tue May 19 07:40:10 UTC 2020
On 18/05/20 20:59, Claus Assmann wrote:
> On Mon, May 18, 2020, Alexander Gryanko wrote:
> [thanks for the hints, I will try that ASAP]
>> But first of all, check your cert type. Looks like you are using non-RSA
>> cert which is not supported by S8.
> As I wrote: it works fine if I don't use TLSv1.3 or if I use openssl
> s_client with TLSv1.3 (it is an RSA cert and I also tested against
> another S8 server which uses a Let's Encrypt cert).
FWIW: adding TLS 1.3 support to my EAP-TLS code got me stumped for a
while as well. I eventually added up the following snippet:
/* Set up a SSL Session cache with a callback. This is needed for
* During the initial handshake the server signals to the client
* that the handshake is finished, even before the client has sent its
* credentials to the server. The actual connection (and moment
* client sends its credentials) only starts after the arrival of
* session ticket. The 'ssl_new_session_cb' catches this ticket.
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT |
int ssl_new_session_cb(SSL *s, SSL_SESSION *sess)
dbglog("EAP-TLS: Post-Handshake New Session Ticket arrived:");
/* always return success */
This callback is necessary as otherwise the client thinks the session
handshake is done too soon (and in my case, it does not bother to send
any client-side certificate info to the server).
Perhaps you are seeing something similar? If not, then sorry for the noise.
JJK / Jan Just Keijser
More information about the openssl-users