Project

General

Profile

Actions

Feature #15353

closed

Support client certificates with TLS 1.3 and OpenSSL 1.1.1

Added by mkauf (Michael Kaufmann) over 5 years ago. Updated over 2 years ago.

Status:
Closed
Assignee:
-
Target version:
-
[ruby-core:90124]

Description

A TLS 1.3 server can request a client certificate after the handshake. Clients tell the server during the handshake whether they support this feature.

In OpenSSL 1.1.1, this feature is enabled with the functions SSL_CTX_set_post_handshake_auth() or SSL_set_post_handshake_auth(). In curl, it has been implemented with this commit: https://github.com/curl/curl/commit/b939bc47b27cd57c6ebb852ad653933e4124b452

To test this, OpenSSL's "s_server" tool can be used. Start it with:

openssl s_server -accept 1234 -cert MyRootCA.pem -key MyRootCA.key -CAfile MyRootCA.pem

Then start the test client (see attachment):

./client.rb

Now press the key "c" and press ENTER in openssl s_server. Currently, this message is printed:

Failed to initiate request
139785143845312:error:14268117:SSL routines:SSL_verify_client_post_handshake:extension not received:ssl/ssl_lib.c:5477:

This means that the client does not support post-handshake authentication.

Note: The certificates have been created as explained here: https://kb.op5.com/pages/viewpage.action?pageId=19073746#sthash.CeFw2fer.dpbs


Files

client.rb (387 Bytes) client.rb Test client mkauf (Michael Kaufmann), 11/28/2018 03:43 PM
MyClient1.key (1.64 KB) MyClient1.key Key for the test certificate mkauf (Michael Kaufmann), 11/28/2018 03:43 PM
MyClient1.pem (1.25 KB) MyClient1.pem Test certificate mkauf (Michael Kaufmann), 11/28/2018 03:43 PM
MyRootCA.key (1.64 KB) MyRootCA.key Key for the root CA certificate mkauf (Michael Kaufmann), 11/28/2018 03:43 PM
MyRootCA.pem (1.35 KB) MyRootCA.pem Root CA certificate mkauf (Michael Kaufmann), 11/28/2018 03:43 PM

Updated by shyouhei (Shyouhei Urabe) over 5 years ago

Hello, openssl library now has its own tracker. Is it possible to report this issue at ruby/openssl? https://github.com/ruby/openssl/issues

Updated by mkauf (Michael Kaufmann) about 5 years ago

  • Subject changed from Support Post-Handshake Authentication with TLS 1.3 and OpenSSL 1.1.1 to Support client certificates with TLS 1.3 and OpenSSL 1.1.1

Hello, openssl library now has its own tracker. Is it possible to report this issue at ruby/openssl? https://github.com/ruby/openssl/issues

Thank you for explaining that ruby/openssl has its own bug tracker!

I have created an issue there: https://github.com/ruby/openssl/issues/237

Updated by hsbt (Hiroshi SHIBATA) over 2 years ago

  • Status changed from Open to Closed

This feature was merged at https://github.com/ruby/openssl/pull/239

Actions

Also available in: Atom PDF

Like0
Like0Like0Like0