SSL_get_peer_certificate returns NULL in client_cert_cb after upgrade to openssl 1.1.1

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL_get_peer_certificate returns NULL in client_cert_cb after upgrade to openssl 1.1.1

Dave Wang
Hi there,

I have a client can talk with server, where the client certificate is loaded in client_cert_cb  based on matching the server side certificate.

it works perfectly in openssl 1.1.0h, however it stops working after I upgrade to openssl 1.1.1.

In client_cert_cb , when I call SSL_get_peer_certificate, it returns NULL, which is different from openssl 1.1.0h.

I do set SSL_VERIFY_PEER on both sides. 


any thoughts on this?

Regards,
Dave

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL_get_peer_certificate returns NULL in client_cert_cb after upgrade to openssl 1.1.1

Matt Caswell-2


On 10/10/18 23:04, Dave Wang wrote:

> Hi there,
>
> I have a client can talk with server, where the client certificate is
> loaded in client_cert_cb  based on matching the server side certificate.
>
> it works perfectly in openssl 1.1.0h, however it stops working after I
> upgrade to openssl 1.1.1.
>
> In client_cert_cb , when I call SSL_get_peer_certificate, it returns
> NULL, which is different from openssl 1.1.0h.
>
> I do set SSL_VERIFY_PEER on both sides. 
>
>
> any thoughts on this?

I assume this only happens with a TLSv1.3 handshake?

From the documentation, the client_cert_cb is called: "when a client
certificate is requested by a server". In practice this means when we
have received the CertificateRequest message from the server.

In TLSv1.2 (and below) the server's first flight of messages for a
client-auth full handshake in response to a ClientHello looks like this:

ServerHello
Certificate
ServerKeyExchange
CertificateRequest
ServerHelloDone

In TLSv1.3 it looks like this:

ServerHello
EncryptedExtensions
CertificateRequest
Certificate
CertificateVerify
Finished

Note that in TLSv1.2 the CertificateRequest message comes *after* the
server has sent the Certificate but in TLSv1.3 it comes *before*. That
means of course that in TLSv1.3 the client_cert_cb gets called before we
have processed the server's certificate and hence
SSL_get_peer_certificate() returns NULL.

I'm wondering whether we should delay calling the client_cert_cb in
TLSv1.3 until after the CertificateVerify has been processed.

Matt
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL_get_peer_certificate returns NULL in client_cert_cb after upgrade to openssl 1.1.1

Matt Caswell-2
I opened this issue to track this problem:

https://github.com/openssl/openssl/issues/7384

Matt


On 11/10/18 10:25, Matt Caswell wrote:

>
>
> On 10/10/18 23:04, Dave Wang wrote:
>> Hi there,
>>
>> I have a client can talk with server, where the client certificate is
>> loaded in client_cert_cb  based on matching the server side certificate.
>>
>> it works perfectly in openssl 1.1.0h, however it stops working after I
>> upgrade to openssl 1.1.1.
>>
>> In client_cert_cb , when I call SSL_get_peer_certificate, it returns
>> NULL, which is different from openssl 1.1.0h.
>>
>> I do set SSL_VERIFY_PEER on both sides. 
>>
>>
>> any thoughts on this?
>
> I assume this only happens with a TLSv1.3 handshake?
>
> From the documentation, the client_cert_cb is called: "when a client
> certificate is requested by a server". In practice this means when we
> have received the CertificateRequest message from the server.
>
> In TLSv1.2 (and below) the server's first flight of messages for a
> client-auth full handshake in response to a ClientHello looks like this:
>
> ServerHello
> Certificate
> ServerKeyExchange
> CertificateRequest
> ServerHelloDone
>
> In TLSv1.3 it looks like this:
>
> ServerHello
> EncryptedExtensions
> CertificateRequest
> Certificate
> CertificateVerify
> Finished
>
> Note that in TLSv1.2 the CertificateRequest message comes *after* the
> server has sent the Certificate but in TLSv1.3 it comes *before*. That
> means of course that in TLSv1.3 the client_cert_cb gets called before we
> have processed the server's certificate and hence
> SSL_get_peer_certificate() returns NULL.
>
> I'm wondering whether we should delay calling the client_cert_cb in
> TLSv1.3 until after the CertificateVerify has been processed.
>
> Matt
>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL_get_peer_certificate returns NULL in client_cert_cb after upgrade to openssl 1.1.1

Dave Wang
Hi Matt,

this make sense. As if I disable TLS1.3, the issue is gone. Thanks for your help.

Regards,
Dave

On Thu, Oct 11, 2018 at 2:36 AM Matt Caswell <[hidden email]> wrote:
I opened this issue to track this problem:

https://github.com/openssl/openssl/issues/7384

Matt


On 11/10/18 10:25, Matt Caswell wrote:
>
>
> On 10/10/18 23:04, Dave Wang wrote:
>> Hi there,
>>
>> I have a client can talk with server, where the client certificate is
>> loaded in client_cert_cb  based on matching the server side certificate.
>>
>> it works perfectly in openssl 1.1.0h, however it stops working after I
>> upgrade to openssl 1.1.1.
>>
>> In client_cert_cb , when I call SSL_get_peer_certificate, it returns
>> NULL, which is different from openssl 1.1.0h.
>>
>> I do set SSL_VERIFY_PEER on both sides. 
>>
>>
>> any thoughts on this?
>
> I assume this only happens with a TLSv1.3 handshake?
>
> From the documentation, the client_cert_cb is called: "when a client
> certificate is requested by a server". In practice this means when we
> have received the CertificateRequest message from the server.
>
> In TLSv1.2 (and below) the server's first flight of messages for a
> client-auth full handshake in response to a ClientHello looks like this:
>
> ServerHello
> Certificate
> ServerKeyExchange
> CertificateRequest
> ServerHelloDone
>
> In TLSv1.3 it looks like this:
>
> ServerHello
> EncryptedExtensions
> CertificateRequest
> Certificate
> CertificateVerify
> Finished
>
> Note that in TLSv1.2 the CertificateRequest message comes *after* the
> server has sent the Certificate but in TLSv1.3 it comes *before*. That
> means of course that in TLSv1.3 the client_cert_cb gets called before we
> have processed the server's certificate and hence
> SSL_get_peer_certificate() returns NULL.
>
> I'm wondering whether we should delay calling the client_cert_cb in
> TLSv1.3 until after the CertificateVerify has been processed.
>
> Matt
>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users