Feature #15353
closedSupport client certificates with TLS 1.3 and OpenSSL 1.1.1
Description
A TLS 1.3 server can request a client certificate after the handshake. Clients tell the server during the handshake whether they support this feature.
In OpenSSL 1.1.1, this feature is enabled with the functions SSL_CTX_set_post_handshake_auth() or SSL_set_post_handshake_auth(). In curl, it has been implemented with this commit: https://github.com/curl/curl/commit/b939bc47b27cd57c6ebb852ad653933e4124b452
To test this, OpenSSL's "s_server" tool can be used. Start it with:
openssl s_server -accept 1234 -cert MyRootCA.pem -key MyRootCA.key -CAfile MyRootCA.pem
Then start the test client (see attachment):
./client.rb
Now press the key "c" and press ENTER in openssl s_server. Currently, this message is printed:
Failed to initiate request
139785143845312:error:14268117:SSL routines:SSL_verify_client_post_handshake:extension not received:ssl/ssl_lib.c:5477:
This means that the client does not support post-handshake authentication.
Note: The certificates have been created as explained here: https://kb.op5.com/pages/viewpage.action?pageId=19073746#sthash.CeFw2fer.dpbs
Files