Closed Bug 1532312 Opened 2 years ago Closed 2 years ago

post-handshake auth doesn't interoperate with OpenSSL

Categories

(NSS :: Libraries, enhancement)

enhancement
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: ueno, Unassigned)

References

Details

Attachments

(3 files)

I realized that the current implementation of post-handshake auth doesn't interoperate with OpenSSL, because of the wrong calculation of hash context after handshake (sorry about that).

It would be nice there is an automatic interoperability test, but for now I am adding a minimal support for post-handshake auth in selfserv/tstclnt to enable manual testing.

In post-handshake, Handshake Context should be:

ClientHello ... client Finished + CertificateRequest

while NSS continues feeding any handshake message after handshake.

Blocks: 1511989

Some servers send a certificate_required alert when the client returns
no certificate while it is required. For server, it is not mandatory
to send this alert, but it could make it easier for the client to
distinguish bad_certificate and the declined cases.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.44
You need to log in before you can comment on or make changes to this bug.