Feature #15353
closed
Support client certificates with TLS 1.3 and OpenSSL 1.1.1
Description
A TLS 1.3 server can request a client certificate after the handshake. Clients tell the server during the handshake whether they support this feature.
In OpenSSL 1.1.1, this feature is enabled with the functions SSL_CTX_set_post_handshake_auth() or SSL_set_post_handshake_auth(). In curl, it has been implemented with this commit: https://github.com/curl/curl/commit/b939bc47b27cd57c6ebb852ad653933e4124b452
To test this, OpenSSL's "s_server" tool can be used. Start it with:
openssl s_server -accept 1234 -cert MyRootCA.pem -key MyRootCA.key -CAfile MyRootCA.pem
Then start the test client (see attachment):
./client.rb
Now press the key "c" and press ENTER in openssl s_server. Currently, this message is printed:
Failed to initiate request
139785143845312:error:14268117:SSL routines:SSL_verify_client_post_handshake:extension not received:ssl/ssl_lib.c:5477:
This means that the client does not support post-handshake authentication.
Note: The certificates have been created as explained here: https://kb.op5.com/pages/viewpage.action?pageId=19073746#sthash.CeFw2fer.dpbs
Files
Updated by shyouhei (Shyouhei Urabe) over 6 years ago
Hello, openssl library now has its own tracker. Is it possible to report this issue at ruby/openssl? https://github.com/ruby/openssl/issues
Updated by mkauf (Michael Kaufmann) over 6 years ago
- Subject changed from Support Post-Handshake Authentication with TLS 1.3 and OpenSSL 1.1.1 to Support client certificates with TLS 1.3 and OpenSSL 1.1.1
Hello, openssl library now has its own tracker. Is it possible to report this issue at ruby/openssl? https://github.com/ruby/openssl/issues
Thank you for explaining that ruby/openssl has its own bug tracker!
I have created an issue there: https://github.com/ruby/openssl/issues/237
Updated by hsbt (Hiroshi SHIBATA) over 3 years ago
- Status changed from Open to Closed
This feature was merged at https://github.com/ruby/openssl/pull/239