Re: [openssl-users] SSL_get_peer_certificate returns NULL in client_cert_cb after upgrade to openssl 1.1.1

2018-10-11 Thread Dave Wang 
Hi Matt,

this make sense. As if I disable TLS1.3, the issue is gone. Thanks for your
help.

Regards,
Dave

On Thu, Oct 11, 2018 at 2:36 AM Matt Caswell  wrote:

> I opened this issue to track this problem:
>
> https://github.com/openssl/openssl/issues/7384
>
> Matt
>
>
> On 11/10/18 10:25, Matt Caswell wrote:
> >
> >
> > On 10/10/18 23:04, Dave Wang wrote:
> >> Hi there,
> >>
> >> I have a client can talk with server, where the client certificate is
> >> loaded in client_cert_cb  based on matching the server side certificate.
> >>
> >> it works perfectly in openssl 1.1.0h, however it stops working after I
> >> upgrade to openssl 1.1.1.
> >>
> >> In client_cert_cb , when I call SSL_get_peer_certificate, it returns
> >> NULL, which is different from openssl 1.1.0h.
> >>
> >> I do set SSL_VERIFY_PEER on both sides.
> >>
> >>
> >> any thoughts on this?
> >
> > I assume this only happens with a TLSv1.3 handshake?
> >
> > From the documentation, the client_cert_cb is called: "when a client
> > certificate is requested by a server". In practice this means when we
> > have received the CertificateRequest message from the server.
> >
> > In TLSv1.2 (and below) the server's first flight of messages for a
> > client-auth full handshake in response to a ClientHello looks like this:
> >
> > ServerHello
> > Certificate
> > ServerKeyExchange
> > CertificateRequest
> > ServerHelloDone
> >
> > In TLSv1.3 it looks like this:
> >
> > ServerHello
> > EncryptedExtensions
> > CertificateRequest
> > Certificate
> > CertificateVerify
> > Finished
> >
> > Note that in TLSv1.2 the CertificateRequest message comes *after* the
> > server has sent the Certificate but in TLSv1.3 it comes *before*. That
> > means of course that in TLSv1.3 the client_cert_cb gets called before we
> > have processed the server's certificate and hence
> > SSL_get_peer_certificate() returns NULL.
> >
> > I'm wondering whether we should delay calling the client_cert_cb in
> > TLSv1.3 until after the CertificateVerify has been processed.
> >
> > Matt
> >
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] SSL_get_peer_certificate returns NULL in client_cert_cb after upgrade to openssl 1.1.1

2018-10-10 Thread Dave Wang 
Hi there,

I have a client can talk with server, where the client certificate is
loaded in client_cert_cb  based on matching the server side certificate.

it works perfectly in openssl 1.1.0h, however it stops working after I
upgrade to openssl 1.1.1.

In client_cert_cb , when I call SSL_get_peer_certificate, it returns NULL,
which is different from openssl 1.1.0h.

I do set SSL_VERIFY_PEER on both sides.


any thoughts on this?

Regards,
Dave
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users