if you don't have the server keypair, try to understand smth from the command
At least you'll hopefully see the list of allowed client certificate issuers.
Please read the manuals of s_client/s_server apps for more details.
Thanks Dmitry!
Do I need the server certificate in order to run those commands?
Also , could you please point me to the exact commands that I’d need to execute in order to reproduce the tls handshake ?
Regards,
VB
From: Dmitry Belyavsky <beldmit@xxxxxxxxx>
Sent: Friday, February 7, 2020 3:07 PM
To: Bashin, Vladimir <vbashin@xxxxxxxxxxx>
Cc: openssl-users@xxxxxxxxxxx
Subject: Re: TLS 1.2 handshake issue (Server Certificate request)
Hello Vladimir,
It's worth trying to reproduce the situation using openssl s_client/s_server command-line apps.
On Fri, Feb 7, 2020 at 9:25 PM Bashin, Vladimir <vbashin@xxxxxxxxxxx> wrote:
Hello, OpenSSL experts !
We need your help in better understanding a below behavior -
We are experiencing issue during the initial TLS handshake :
We have the customer-issued TLS certificate that we deploy on our TLS client system
The certs have been generated with a CSR that was generated on customer’s FIPS compliant server
The CSR was then signed by CA hosted on SMGR
During the endpoint registration with the server we have an endpoint initiated TLS handshake – during that handshake the TLS server requests the client Certificate but our TLS client responds with the Certificates Length 0 that causes the TLS server to respond with the Handshake Failure.
The Google search gives some generic ideas on why that might be happening – something along the following lines - that could be happening in case the client’s certificate does not match the server certificate – for example, due to a signing authority mismatch, or due to the encryption cipher type mismatch, or maybe due to some other factors.
Could you please help us in better understanding this issue – what else could be wrong or missing in the Server and Client certificates ?
Thanks,
Vladimir Bashin
--
SY, Dmitry Belyavsky
