Fw: openssl s_client privatekey engine pkcs11 - no SSL_connect:SSLv3/TLS write certificate verify

Wed Oct 27 10:28:28 UTC 2021

    ----- Forwarded Message ----- From: Zlatko Vrastic <vrastic at yahoo.com>To: "openssl-users at openssl.org" <openssl-users at openssl.org>Sent: Friday, October 22, 2021, 03:25:10 PM GMT+2Subject: openssl s_client privatekey engine pkcs11 - no SSL_connect:SSLv3/TLS write certificate verify
 When using 
openssl s_client ...... -keyform engine -engine pkcs11 -key 0:00
there is no SSL_connect:SSLv3/TLS write certificate verify step in handshake protocol
and server rejects connection.

Connection is https get to get token for further communication. During this https get tls1.2 is used as protocol.
Connecting to server with Windows and Visual Studio https request is good with pfx or with smart card, we get token.
On Linux openssl+opensc connection with client.pem and privatekey.pem extracted from pfx certificate is ok, we get token.
When we use smart card with openssl+opensc we get authorisation denied, the ssl client is not sending SSL_connect:SSLv3/TLS write certificate verify.
Comparing log from ssl, the initial handshake is the same, when we send get request string, after that handshake is different.

good communication when used client.pem and privatekey.pem
SSL_connect:SSL negotiation finished successfully
SSL_connect:SSL negotiation finished successfully
SSL_connect:SSLv3/TLS read hello request
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
SSL_connect:SSLv3/TLS read server certificate
SSL_connect:SSLv3/TLS read server key exchange
SSL_connect:SSLv3/TLS read server certificate request
SSL_connect:SSLv3/TLS read server done
SSL_connect:SSLv3/TLS write client certificate
SSL_connect:SSLv3/TLS write client key exchange
SSL_connect:SSLv3/TLS write certificate verify
SSL_connect:SSLv3/TLS write change cipher spec
SSL_connect:SSLv3/TLS write finished
SSL_connect:SSLv3/TLS write finished
SSL_connect:SSLv3/TLS read change cipher spec
SSL_connect:SSLv3/TLS read finished
read R BLOCK
HTTP/1.1 200 OK

missing write certificate verify when using gids smartcard:  -keyform engine -engine pkcs11 -key 0:00 (works the same used also: -keyform engine -engine pkcs11 -key "pkcs11:id=%00;type=private" )
SSL_connect:SSL negotiation finished successfully
SSL_connect:SSL negotiation finished successfully
SSL_connect:SSLv3/TLS read hello request
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
SSL_connect:SSLv3/TLS read server certificate
SSL_connect:SSLv3/TLS read server key exchange
SSL_connect:SSLv3/TLS read server certificate request
SSL_connect:SSLv3/TLS read server done
SSL_connect:SSLv3/TLS write client certificate
SSL_connect:SSLv3/TLS write client key exchange
SSL_connect:SSLv3/TLS write change cipher spec
SSL_connect:SSLv3/TLS write finished
SSL_connect:SSLv3/TLS write finished
SSL_connect:SSLv3/TLS read change cipher spec
SSL_connect:SSLv3/TLS read finished
read R BLOCK
HTTP/1.1 401 Unauthorized

Do You have any suggestions on what to try? We debugged and verified that the openssl engine pkcs11 through opensc is working good. 
Do not know how to specify to s_client to send SSLv3/TLS write certificate verify. When this is not sent we get rejected from the server.

Another issue we had was with cipher suites. Server usually works with ECDHE-RSA-AES256-GCM-SHA384.
With openssl installed on linux this cipher is used for communication.
With openssl installed on windows it returns
742F0000:error:0A080006:SSL routines:ssl_generate_param_group:EVP lib:ssl\s3_lib.c:4727:
742F0000:error:0A00013A:SSL routines:tls_process_ske_ecdhe:unable to find ecdh parameters:ssl\statem\statem_clnt.c:2140:
this cipher suite is supprted from openssl when checked with ciphers commands.
and later with
New, (NONE), Cipher is (NONE)
We skipped over this with -cipher AESGCM:!ECDHE-RSA-AES256-GCM-SHA384 by specifying to poenssl not to use this cipher, 
communication is swithed to
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256.
But this problem with SSLv3/TLS write certificate verify is the same on linux and windows.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20211027/45eb3631/attachment.html>