post-handshake auth doesn't interoperate with OpenSSL

RESOLVED FIXED in 3.44

Status

enhancement
RESOLVED FIXED
2 months ago
14 days ago

People

(Reporter: ueno, Unassigned)

Tracking

trunk
3.44

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(3 attachments)

(Reporter)

Description

2 months ago

I realized that the current implementation of post-handshake auth doesn't interoperate with OpenSSL, because of the wrong calculation of hash context after handshake (sorry about that).

It would be nice there is an automatic interoperability test, but for now I am adding a minimal support for post-handshake auth in selfserv/tstclnt to enable manual testing.

(Reporter)

Comment 1

2 months ago

In post-handshake, Handshake Context should be:

ClientHello ... client Finished + CertificateRequest

while NSS continues feeding any handshake message after handshake.

(Reporter)

Updated

2 months ago
Blocks: 1511989
(Reporter)

Comment 3

2 months ago

Some servers send a certificate_required alert when the client returns
no certificate while it is required. For server, it is not mandatory
to send this alert, but it could make it easier for the client to
distinguish bad_certificate and the declined cases.

(Reporter)

Comment 4

14 days ago
Status: NEW → RESOLVED
Last Resolved: 14 days ago
Resolution: --- → FIXED
Target Milestone: --- → 3.44
You need to log in before you can comment on or make changes to this bug.