I'm trying to get on a open ss user I'm on a phone On Tue, Oct 9, 2018, 6:11 PM Dustin Albright <[email protected]> wrote:
> trying to get it open > > On Tue, Oct 9, 2018, 6:08 PM Dustin Albright <[email protected]> > wrote: > >> I don't want to I don't know how to do this >> >> On Tue, Oct 9, 2018, 6:06 PM Dustin Albright <[email protected]> >> wrote: >> >>> No had to bring in grocery sorry about that >>> >>> On Tue, Oct 9, 2018, 5:45 PM Jeremy Harris <[email protected]> wrote: >>> >>>> Hi, >>>> >>>> OpenSSL version 1.1.1 FIPS, on Fedora 29 >>>> >>>> (on both client and server) >>>> >>>> >>>> I'm seeing a client not receiving, or ignoring, what >>>> should be a fatal alert from the server during handshake. >>>> >>>> The server is requiring a client-certificate, via: >>>> >>>> SSL_CTX_set_verify(sctx, >>>> SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ...) >>>> ... >>>> server_ssl = SSL_new(server_ctx) >>>> ... >>>> SSL_accept(server_ssl) >>>> >>>> ... and the client is not supplying one. This is a deliberate >>>> testcase. The server debug output goes: >>>> ============== >>>> 21:31:54 8729 SMTP>> 220 TLS go ahead >>>> 21:31:54 8729 Calling SSL_accept >>>> 21:31:54 8729 SSL info: before SSL initialization >>>> 21:31:54 8729 SSL info: before SSL initialization >>>> 21:31:54 8729 SSL info: before SSL initialization >>>> 21:31:54 8729 SSL info: SSLv3/TLS read client hello >>>> 21:31:54 8729 SSL info: SSLv3/TLS write server hello >>>> 21:31:54 8729 SSL info: SSLv3/TLS write change cipher spec >>>> 21:31:54 8729 SSL info: TLSv1.3 write encrypted extensions >>>> 21:31:54 8729 SSL info: SSLv3/TLS write certificate request >>>> 21:31:54 8729 SSL info: SSLv3/TLS write certificate >>>> 21:31:54 8729 SSL info: TLSv1.3 write server certificate verify >>>> 21:31:54 8729 SSL info: SSLv3/TLS write finished >>>> 21:31:54 8729 SSL info: TLSv1.3 early data >>>> 21:31:54 8729 SSL info: TLSv1.3 early data >>>> 21:31:54 8729 SSL info: error >>>> 21:31:54 8729 SSL info: error >>>> 21:31:54 8729 LOG: MAIN >>>> 21:31:54 8729 TLS error on connection from (rhu.barb) >>>> [192.168.122.94] (SSL_accept): error:1417C0C7:SSL >>>> routines:tls_process_client_certificate:peer did not return a >>>> certificate >>>> =================== >>>> So far so good. The client however sees: >>>> =================== >>>> <<< 220 TLS go ahead >>>> Attempting to start TLS >>>> SSL info: before SSL initialization >>>> SSL info: before SSL initialization >>>> SSL info: SSLv3/TLS write client hello >>>> SSL info: SSLv3/TLS write client hello >>>> SSL info: SSLv3/TLS read server hello >>>> SSL info: TLSv1.3 read encrypted extensions >>>> SSL info: SSLv3/TLS read server certificate request >>>> SSL info: SSLv3/TLS read server certificate >>>> SSL info: TLSv1.3 read server certificate verify >>>> SSL info: SSLv3/TLS read finished >>>> SSL info: SSLv3/TLS write change cipher spec >>>> SSL info: SSLv3/TLS write client certificate >>>> SSL info: SSLv3/TLS write finished >>>> SSL info: SSL negotiation finished successfully >>>> SSL info: SSL negotiation finished successfully >>>> SSL connection using TLS_AES_256_GCM_SHA384 >>>> ================= >>>> >>>> The code running up to that last line indicates that >>>> SSL_connect() returned without error: >>>> ---- >>>> rc = SSL_connect (*ssl); >>>> alarm(0); >>>> >>>> if (sigalrm_seen) >>>> { >>>> printf("SSL_connect timed out\n"); >>>> return 0; >>>> } >>>> >>>> if (rc <= 0) >>>> { >>>> ERR_print_errors_fp(stdout); >>>> return 0; >>>> } >>>> >>>> printf("SSL connection using %s\n", SSL_get_cipher (*ssl)); >>>> ---- >>>> >>>> >>>> What am I doing wrong? >>>> -- >>>> Thanks, >>>> Jeremy >>>> -- >>>> openssl-users mailing list >>>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >>>> >>>
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
