On Thu, Sep 04, 2025 at 01:05:00AM +1000, Viktor Dukhovni wrote:
> > 59213 SSL SSL_accept,state_chg: SSLv3/TLS read client certificate
>
> The server reads the client's response,
>
> > 59213 CLIENT_TRAFFIC_SECRET_0
> > 4834841eb4cXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> > e3c12a3feb660dXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> > 59213 SSL SSL_accept,state_chg: SSLv3/TLS read finished
>
> But then immediately moves to the "finished" state. I don't see any
> attempt to read the client's certificate verify messagge, so I don't
> think the client sent a certificate (it sent an empty certificate
> message).
>
> Whatever certificate the client had on hand was not actually sent.
Below is a partial state transition trace from a connection where the
client did send a cert:
...
SSL_accept:SSLv3/TLS write certificate request
SSL_accept:SSLv3/TLS write certificate
SSL_accept:TLSv1.3 write server certificate verify
SSL_accept:SSLv3/TLS write finished
SSL_accept:TLSv1.3 early data
SSL_accept:TLSv1.3 early data
SSL_accept:SSLv3/TLS read client certificate
---> SSL_accept:SSLv3/TLS read certificate verify
SSL_accept:SSLv3/TLS read finished
...
The essential differene is the "read certificate verify" that follows
"read client certificate".
--
Viktor. 🇺🇦 Слава Україні!
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## [email protected]
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
