On Thu, Nov 07, 2013 at 12:29:13PM +0000, Ben Arnold wrote: > I am using SSL_CTX_set_client_cert_cb to provide the client > certificate when needed. I have a problem in that OpenSSL 1.0.1e > does not trigger this callback for all websites that I expect it > to, only some. Instead on the failing sites there is an SSL > handshake failure after the client verifies the server certificate:
You can test with s_client(1) and compare results. Is your client certificate an RSA certificate? How many bits of public key? Is its signature SHA1 or SHA256? > SSL read: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake > failure, errno 0 > > Interestingly if I compile against 1.0.0k then there is no failure > and the callback *is* triggered for all sites (that I have tried > so far anyway). Sounds like a problem with TLSv1.2. If your client certificate is only 512-bits it may not be wide enough to sign a SHA384 digest, or some other TLSv1.2 parameter issue. Attaching a PCAP file of the traffic is much more useful than hex packet dumps. Capture the traffic with "tcpdump -s0 -w file ..." and look with "wireshark -r file". If you don't understand the wireshark output, post the (binary) PCAP file containing just one failed TLS handshake, perhaps also a PCAP file with a succesful TLS handshake. -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org