Replicated same behavior with s_client. Attached is a zip with all of the relevant data - openssl.log - log file showing cli output using s_client in both the failure and successful cases - http_calist.pem (trusted ca) and ssl.pem (cert + key for client) - tmscert.pem tmskey-nopass.pem (server key/cert) - associated packet captures
This is with a snapshot from early 1.0.1 openssl (Nov). I would like to run with a newer build, but I need to rely on the platform being updated by some others first. -Steve -----Original Message----- From: Stephen Henson via RT [mailto:[email protected]] Sent: Sunday, February 05, 2012 3:52 PM To: Steve Kapinos (stkapino) Cc: [email protected] Subject: [openssl.org #2702] TLS bad_mac_record with IIS 7 and client authentication > [[email protected] - Sun Feb 05 17:33:28 2012]: > > Hi Stephen I will try to test with the client and get back to you. > This is in an internal lab so it is not reachable. I can provide > packet sniff along with the certs /keys if that would be useful? > Yes. Also please try it with the -no_tls1_2 option and both -no_tls1_2 and -no_tls1_1 to see if that helps. The output with -state too would be useful on a failing connection. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org
