Project

General

Profile

Actions

Feature #15353

open

Support client certificates with TLS 1.3 and OpenSSL 1.1.1

Added by mkauf (Michael Kaufmann) almost 3 years ago. Updated over 2 years ago.

Status:
Open
Priority:
Normal
Assignee:
-
Target version:
-
[ruby-core:90124]

Description

A TLS 1.3 server can request a client certificate after the handshake. Clients tell the server during the handshake whether they support this feature.

In OpenSSL 1.1.1, this feature is enabled with the functions SSL_CTX_set_post_handshake_auth() or SSL_set_post_handshake_auth(). In curl, it has been implemented with this commit: https://github.com/curl/curl/commit/b939bc47b27cd57c6ebb852ad653933e4124b452

To test this, OpenSSL's "s_server" tool can be used. Start it with:

openssl s_server -accept 1234 -cert MyRootCA.pem -key MyRootCA.key -CAfile MyRootCA.pem

Then start the test client (see attachment):

./client.rb

Now press the key "c" and press ENTER in openssl s_server. Currently, this message is printed:

Failed to initiate request
139785143845312:error:14268117:SSL routines:SSL_verify_client_post_handshake:extension not received:ssl/ssl_lib.c:5477:

This means that the client does not support post-handshake authentication.

Note: The certificates have been created as explained here: https://kb.op5.com/pages/viewpage.action?pageId=19073746#sthash.CeFw2fer.dpbs


Files

client.rb (387 Bytes) client.rb Test client mkauf (Michael Kaufmann), 11/28/2018 03:43 PM
MyClient1.key (1.64 KB) MyClient1.key Key for the test certificate mkauf (Michael Kaufmann), 11/28/2018 03:43 PM
MyClient1.pem (1.25 KB) MyClient1.pem Test certificate mkauf (Michael Kaufmann), 11/28/2018 03:43 PM
MyRootCA.key (1.64 KB) MyRootCA.key Key for the root CA certificate mkauf (Michael Kaufmann), 11/28/2018 03:43 PM
MyRootCA.pem (1.35 KB) MyRootCA.pem Root CA certificate mkauf (Michael Kaufmann), 11/28/2018 03:43 PM
Actions

Also available in: Atom PDF