On Thu, Nov 07, 2013 at 12:29:13PM +0000, Ben Arnold wrote:
> I am using SSL_CTX_set_client_cert_cb to provide the client
> certificate when needed. I have a problem in that OpenSSL 1.0.1e
> does not trigger this callback for all websites that I expect it
> to, only some. Instead on the failing sites there is an SSL
> handshake failure after the client verifies the server certificate:
You can test with s_client(1) and compare results. Is your client
certificate an RSA certificate? How many bits of public key? Is
its signature SHA1 or SHA256?
> SSL read: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake
> failure, errno 0
>
> Interestingly if I compile against 1.0.0k then there is no failure
> and the callback *is* triggered for all sites (that I have tried
> so far anyway).
Sounds like a problem with TLSv1.2. If your client certificate is
only 512-bits it may not be wide enough to sign a SHA384 digest,
or some other TLSv1.2 parameter issue.
Attaching a PCAP file of the traffic is much more useful than hex
packet dumps. Capture the traffic with "tcpdump -s0 -w file ..."
and look with "wireshark -r file". If you don't understand the
wireshark output, post the (binary) PCAP file containing just one
failed TLS handshake, perhaps also a PCAP file with a succesful
TLS handshake.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
