On Mon, Mar 23, 2020 at 11:46:43PM +0000, Jeremy Harris wrote: > OpenSSL 1.1.1 on Centos 8 > Ticket-based resumption > > > I'm getting a repeatable error from a client call to SSL_connect() > of "14228044:SSL routines:construct_ca_names:internal error". > > Packet capture shows an Alert being sent by the client before > anything is received from the server. > > The error only occurs when the client is trying to resume > a previous session, and (here's the odd part) only when > the client is set up to offer a client certificate. > > [I can change the client config to stop it offering this > client-cert, and the resumption works just fine] > > > I *think* possibly also the precise nature of that client cert > matters; a testcase I set up away from my production > system failed to induce the error. The client cert > is loaded using SSL_CTX_use_certificate_chain_file(); > the file contains a private-key and a 3-element chain > with a Lets Encrypt cert (leaf, signer, CA-root). > The CA is sha1/rsa, the other two are sha256/rsa. Try omitting the (sha1) CA from the file? -Ben
