Issue #15353 has been updated by mkauf (Michael Kaufmann).

Subject changed from Support Post-Handshake Authentication with TLS 1.3 and OpenSSL 1.1.1 to Support client certificates with TLS 1.3 and OpenSSL 1.1.1

> Hello, openssl library now has its own tracker.  Is it possible to report this issue at ruby/openssl? https://github.com/ruby/openssl/issues

Thank you for explaining that ruby/openssl has its own bug tracker!

I have created an issue there: https://github.com/ruby/openssl/issues/237

----------------------------------------
Feature #15353: Support client certificates with TLS 1.3 and OpenSSL 1.1.1
https://bugs.ruby-lang.org/issues/15353#change-76360

* Author: mkauf (Michael Kaufmann)
* Status: Open
* Priority: Normal
* Assignee: 
* Target version: 
----------------------------------------
A TLS 1.3 server can request a client certificate after the handshake. Clients tell the server during the handshake whether they support this feature.

In OpenSSL 1.1.1, this feature is enabled with the functions SSL_CTX_set_post_handshake_auth() or SSL_set_post_handshake_auth(). In curl, it has been implemented with this commit: https://github.com/curl/curl/commit/b939bc47b27cd57c6ebb852ad653933e4124b452


To test this, OpenSSL's "s_server" tool can be used. Start it with:

openssl s_server -accept 1234 -cert MyRootCA.pem -key MyRootCA.key -CAfile MyRootCA.pem


Then start the test client (see attachment):

./client.rb


Now press the key "c" and press ENTER in openssl s_server. Currently, this message is printed:

Failed to initiate request
139785143845312:error:14268117:SSL routines:SSL_verify_client_post_handshake:extension not received:ssl/ssl_lib.c:5477:


This means that the client does not support post-handshake authentication.

Note: The certificates have been created as explained here: https://kb.op5.com/pages/viewpage.action?pageId=19073746#sthash.CeFw2fer.dpbs

---Files--------------------------------
client.rb (387 Bytes)
MyClient1.key (1.64 KB)
MyClient1.pem (1.25 KB)
MyRootCA.key (1.64 KB)
MyRootCA.pem (1.35 KB)


-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>