Get peer certificate after handshake failure

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Get peer certificate after handshake failure

Steven Winfield

Hi all,

 

First time posting here so please be gentle ;-)

 

TL;DR: After a failed handshake, caused by our peer’s certificate failing verification, what is the correct way to get hold of the peer’s certificate?

 

A little more detail:

I’d like my server applications to be able to log some details about the client’s certificate after a failed handshake, such as CN, SAN, not-valid-before, and not-valid-after values.

So, after a failed handshake, I thought should be able to call SSL_get_peer_certificate(), however I’m using python (:-) bear with me…) where in the guts of SSLSocket.getpeercert() the call to SSL_get_peer_certificate() isn’t even attempted if SSL_is_init_finished() is false.[1]

 

Is SSL_is_init_finished() too severe a check in this case, and SSL_get_peer_certificate() would actually work fine?

 

More detail, in case it is relevant:

We have an internal CA, and both the server and client have certificates signed by this CA, and both trust the CA’s certificate.

The SSLContexts on both sides have:

  * verify flags = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT

  * certificate store verify flags = X509_V_FLAG_TRUSTED_FIRST | X509_V_FLAG_X509_STRICT

 

Any help would be greatly appreciated.

 

Best wishes,

Steven.

 

 

[1] https://github.com/python/cpython/blob/3.7/Modules/_ssl.c#L1813

 





This email is confidential. If you are not the intended recipient, please advise us immediately and delete this message. The registered name of Cantab- part of GAM Systematic is Cantab Capital Partners LLP. See - http://www.gam.com/en/Legal/Email+disclosures+EU for further information on confidentiality, the risks of non-secure electronic communication, and certain disclosures which we are required to make in accordance with applicable legislation and regulations. If you cannot access this link, please notify us by reply message and we will send the contents to you.

GAM Holding AG and its subsidiaries (Cantab – GAM Systematic) will collect and use information about you in the course of your interactions with us. Full details about the data types we collect and what we use this for and your related rights is set out in our online privacy policy at https://www.gam.com/en/legal/privacy-policy. Please familiarise yourself with this policy and check it from time to time for updates as it supplements this notice

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Get peer certificate after handshake failure

Steven Winfield

Hi all,

 

First time posting here so please be gentle ;-)

 

TL;DR: After a failed handshake, caused by our peer’s certificate failing verification, what is the correct way to get hold of the peer’s certificate?

 

A little more detail:

I’d like my server applications to be able to log some details about the client’s certificate after a failed handshake, such as CN, SAN, not-valid-before, and not-valid-after values.

So, after a failed handshake, I thought should be able to call SSL_get_peer_certificate(), however I’m using python (:-) bear with me…) where in the guts of SSLSocket.getpeercert() the call to SSL_get_peer_certificate() isn’t even attempted if SSL_is_init_finished() is false.[1]

 

Is SSL_is_init_finished() too severe a check in this case, and SSL_get_peer_certificate() would actually work fine?

 

More detail, in case it is relevant:

We have an internal CA, and both the server and client have certificates signed by this CA, and both trust the CA’s certificate.

The SSLContexts on both sides have:

  * verify flags = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT

  * certificate store verify flags = X509_V_FLAG_TRUSTED_FIRST | X509_V_FLAG_X509_STRICT

 

Any help would be greatly appreciated.

 

Best wishes,

Steven.

  

[1] https://github.com/python/cpython/blob/3.7/Modules/_ssl.c#L1813

 

You'll have better luck getting the peer certificate *during* the handshake, not after.
Read e. g. https://stackoverflow.com/questions/9089957/validating-client-certificates-in-pyopenssl on how to set up a verify callback function using PyOpenSSL.

HTH,

JJK

 

Thanks for the pointer! Python’s standard ssl module doesn’t expose that callback (yet), and I’d rather not switch everything to PyOpenSSL, but I’ll see what I can do.

Cheers,

Steven.





This email is confidential. If you are not the intended recipient, please advise us immediately and delete this message. The registered name of Cantab- part of GAM Systematic is Cantab Capital Partners LLP. See - http://www.gam.com/en/Legal/Email+disclosures+EU for further information on confidentiality, the risks of non-secure electronic communication, and certain disclosures which we are required to make in accordance with applicable legislation and regulations. If you cannot access this link, please notify us by reply message and we will send the contents to you.

GAM Holding AG and its subsidiaries (Cantab – GAM Systematic) will collect and use information about you in the course of your interactions with us. Full details about the data types we collect and what we use this for and your related rights is set out in our online privacy policy at https://www.gam.com/en/legal/privacy-policy. Please familiarise yourself with this policy and check it from time to time for updates as it supplements this notice

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Get peer certificate after handshake failure

Viktor Dukhovni
On Thu, Jan 17, 2019 at 05:39:39PM +0000, Steven Winfield wrote:

> TL;DR: After a failed handshake, caused by our peer’s certificate failing
> verification, what is the correct way to get hold of the peer’s certificate?

You can't get it after, but you can get it *during* the handshake, by
implementing a "verify callback".

> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users