Project

General

Profile

Feature #15353

Support client certificates with TLS 1.3 and OpenSSL 1.1.1

Added by mkauf (Michael Kaufmann) about 1 year ago. Updated 11 months ago.

Status:
Open
Priority:
Normal
Assignee:
-
Target version:
-
[ruby-core:90124]

Description

A TLS 1.3 server can request a client certificate after the handshake. Clients tell the server during the handshake whether they support this feature.

In OpenSSL 1.1.1, this feature is enabled with the functions SSL_CTX_set_post_handshake_auth() or SSL_set_post_handshake_auth(). In curl, it has been implemented with this commit: https://github.com/curl/curl/commit/b939bc47b27cd57c6ebb852ad653933e4124b452

To test this, OpenSSL's "s_server" tool can be used. Start it with:

openssl s_server -accept 1234 -cert MyRootCA.pem -key MyRootCA.key -CAfile MyRootCA.pem

Then start the test client (see attachment):

./client.rb

Now press the key "c" and press ENTER in openssl s_server. Currently, this message is printed:

Failed to initiate request
139785143845312:error:14268117:SSL routines:SSL_verify_client_post_handshake:extension not received:ssl/ssl_lib.c:5477:

This means that the client does not support post-handshake authentication.

Note: The certificates have been created as explained here: https://kb.op5.com/pages/viewpage.action?pageId=19073746#sthash.CeFw2fer.dpbs


Files

client.rb (387 Bytes) client.rb Test client mkauf (Michael Kaufmann), 11/28/2018 03:43 PM
MyClient1.key (1.64 KB) MyClient1.key Key for the test certificate mkauf (Michael Kaufmann), 11/28/2018 03:43 PM
MyClient1.pem (1.25 KB) MyClient1.pem Test certificate mkauf (Michael Kaufmann), 11/28/2018 03:43 PM
MyRootCA.key (1.64 KB) MyRootCA.key Key for the root CA certificate mkauf (Michael Kaufmann), 11/28/2018 03:43 PM
MyRootCA.pem (1.35 KB) MyRootCA.pem Root CA certificate mkauf (Michael Kaufmann), 11/28/2018 03:43 PM

History

Updated by shyouhei (Shyouhei Urabe) about 1 year ago

Hello, openssl library now has its own tracker. Is it possible to report this issue at ruby/openssl? https://github.com/ruby/openssl/issues

Updated by mkauf (Michael Kaufmann) 11 months ago

  • Subject changed from Support Post-Handshake Authentication with TLS 1.3 and OpenSSL 1.1.1 to Support client certificates with TLS 1.3 and OpenSSL 1.1.1

Hello, openssl library now has its own tracker. Is it possible to report this issue at ruby/openssl? https://github.com/ruby/openssl/issues

Thank you for explaining that ruby/openssl has its own bug tracker!

I have created an issue there: https://github.com/ruby/openssl/issues/237

Also available in: Atom PDF