SSL_connect with TLS 1.3 and client Certificates

Christian Schmidt schmidt at digadd.de
Tue Jul 13 18:44:11 UTC 2021


Hello all,

I am currently trying to build both client and server of an application
that uses TLS 1.3 and mutual authentication using certificates. The
application works so far - I can establish connections, certificates are
verified, data is successfully transmitted, etc.

However, I have an issue, or maybe two.

1. SSL_connect returns successfully before the client certificate is
sent from the client to the server. The client certificate is only sent
on the first SSL_write_ex with > 0 bytes, and as such, at this point the
server can generate SSL alerts like access denied, etc.

2. When trying to benchmark latency on the application, the first
roundtrip is extended by the client certificate verification.

Is there any way I can complete the handshake, and thus validate the
full connection, without sending data?

I must say that even after reading RFC8446 I am not sure if there is a
positive confirmation after the client certificate is sent, so I am not
sure if what I am asking for is even possible.

Best regards,
Chris


More information about the openssl-users mailing list