Re: client ignoring alert

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



No had to bring in grocery  sorry about that 

On Tue, Oct 9, 2018, 5:45 PM Jeremy Harris <jgh@xxxxxxxxxxx> wrote:
Hi,

        OpenSSL version 1.1.1 FIPS, on Fedora 29

(on both client and server)


I'm seeing a client not receiving, or ignoring, what
should be a fatal alert from the server during handshake.

The server is requiring a client-certificate, via:

SSL_CTX_set_verify(sctx,
  SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ...)
...
server_ssl = SSL_new(server_ctx)
...
SSL_accept(server_ssl)

... and the client is not supplying one.  This is a deliberate
testcase.  The server debug output goes:
==============
21:31:54  8729 SMTP>> 220 TLS go ahead
21:31:54  8729 Calling SSL_accept
21:31:54  8729 SSL info: before SSL initialization
21:31:54  8729 SSL info: before SSL initialization
21:31:54  8729 SSL info: before SSL initialization
21:31:54  8729 SSL info: SSLv3/TLS read client hello
21:31:54  8729 SSL info: SSLv3/TLS write server hello
21:31:54  8729 SSL info: SSLv3/TLS write change cipher spec
21:31:54  8729 SSL info: TLSv1.3 write encrypted extensions
21:31:54  8729 SSL info: SSLv3/TLS write certificate request
21:31:54  8729 SSL info: SSLv3/TLS write certificate
21:31:54  8729 SSL info: TLSv1.3 write server certificate verify
21:31:54  8729 SSL info: SSLv3/TLS write finished
21:31:54  8729 SSL info: TLSv1.3 early data
21:31:54  8729 SSL info: TLSv1.3 early data
21:31:54  8729 SSL info: error
21:31:54  8729 SSL info: error
21:31:54  8729 LOG: MAIN
21:31:54  8729   TLS error on connection from (rhu.barb)
[192.168.122.94] (SSL_accept): error:1417C0C7:SSL
routines:tls_process_client_certificate:peer did not return a certificate
===================
So far so good.  The client however sees:
===================
<<< 220 TLS go ahead
Attempting to start TLS
SSL info: before SSL initialization
SSL info: before SSL initialization
SSL info: SSLv3/TLS write client hello
SSL info: SSLv3/TLS write client hello
SSL info: SSLv3/TLS read server hello
SSL info: TLSv1.3 read encrypted extensions
SSL info: SSLv3/TLS read server certificate request
SSL info: SSLv3/TLS read server certificate
SSL info: TLSv1.3 read server certificate verify
SSL info: SSLv3/TLS read finished
SSL info: SSLv3/TLS write change cipher spec
SSL info: SSLv3/TLS write client certificate
SSL info: SSLv3/TLS write finished
SSL info: SSL negotiation finished successfully
SSL info: SSL negotiation finished successfully
SSL connection using TLS_AES_256_GCM_SHA384
=================

The code running up to that last line indicates that
SSL_connect() returned without error:
----
rc = SSL_connect (*ssl);
alarm(0);

if (sigalrm_seen)
  {
  printf("SSL_connect timed out\n");
  return 0;
  }

if (rc <= 0)
  {
  ERR_print_errors_fp(stdout);
  return 0;
  }

printf("SSL connection using %s\n", SSL_get_cipher (*ssl));
----


What am I doing wrong?
--
Thanks,
  Jeremy
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux