Hi to all. I’m using 0.9.6.a-engine version (I don’t think that it will matter here),
and I have following problem: I’m trying to connect https site on IIS server using my applicative
OpenSSL client; the site is defined as “require SSL channel” and “accept client
certificate”. It means that I have to call the site using SSL, but I don’t have to pass client
certificate (it’s “accept”, not “require”). So, I started the handshake without supplying client with certificate. IIS
responded by “500 – Internal Server Error” (Actually, he didn’t responded at all, but I saw the error code in its
log). So, I changed site’s restrictions from “ ** Accept** client certificate” to “
**REQUIRE** client certificate”, and supplied my client with client certificate – but, I’ve got the same
error on the server. Then, I decided to check the client against OpenSSL server : I ran
s_server (the sample server) and checked my client against it – it worked fine in both cases (“accept”
and “require”).So, it seems that IIS and OpenSSL servers doing handshake differently. So, I decided to
check the handshake itself (by looking on types of messages that client receives from the server
during handshake, in both OpenSSL and IIS handshakes). And this is what I saw: In OpenSSL after sending server certificate, server sending certificate
request (to get client certificate) – it doesn’t matter at this step if the case is “accept” or “require” – it will
matter later to the server but not to the client and not now. So, client read servers’ certificate request and
sending back certificate message (in my case, with empty certificate). And handshake finishes fine and connection goes
on. In IIS, on the other hand, server sending its certificate and then
sending “SERVER_DONE” message, which means that IIS even not trying to ask for certificate from client. So, I guess, that maybe IIS asking for re-handshake just to ask for
client certificate ? Is it right? If it is – I have two questions:
If my guess not seems to be right – maybe somebody can enlighten me? If there is some lack of details – just tell! Thank you for reading this long mail, and also to those who will decide to
help :-) Sharon. |