Difference in client authentication between sample OpenSSL server and IIS5.

[Sharon Hezy]

Hi to all.   I’m using 0.9.6.a-engine version (I don’t think that it will matter here), and I have following problem: I’m trying to connect https site on IIS server using my applicative OpenSSL client; the site is defined as “require SSL channel” and “accept client certificate”. It means that I have to call the site using SSL, but I don’t have to pass client certificate (it’s “accept”, not “require”). So, I started the handshake without supplying client with certificate. IIS responded by “500 – Internal Server Error” (Actually, he didn’t responded at all, but I saw the error code in its log). So, I changed site’s restrictions from “ ** Accept** client certificate” to “ **REQUIRE** client certificate”, and supplied my client with client certificate – but, I’ve got the same error on the server.   Then, I decided to check the client against OpenSSL server : I ran s_server (the sample server) and checked my client against it – it worked fine in both cases (“accept” and “require”).So, it seems that IIS and OpenSSL servers doing handshake differently. So, I decided to check the handshake itself (by looking on types of messages that client receives from the server during handshake, in both OpenSSL and IIS handshakes).   And this is what I saw: In OpenSSL after sending server certificate, server sending certificate request (to get client certificate) – it doesn’t matter at this step if the case is “accept” or “require” – it will matter later to the server but not to the client and not now. So, client read servers’ certificate request and sending back certificate message (in my case, with empty certificate). And handshake finishes fine and connection goes on.   In IIS, on the other hand, server sending its certificate and then sending “SERVER_DONE” message, which means that IIS even not trying to ask for certificate from client.   So, I guess, that maybe IIS asking for re-handshake just to ask for client certificate ? Is it right? If it is – I have two questions: How can I support re-handshake in my client? (Maybe code examples ?) How can I change this behavior of IIS? (if somebody knows…)   If my guess not seems to be right – maybe somebody can enlighten me?   If there is some lack of details – just tell!   Thank you for reading this long mail, and also to those who will decide to help :-)   Sharon.