Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign up[TLS 1.3] Enable post-handshake auth for OpenSSL 1.1.1 #3026
Comments
bagder
added
the
SSL/TLS
label
Sep 21, 2018
This comment has been minimized.
This comment has been minimized.
|
It might be sufficient to just call the function. I'm not fully sure how the actual PHA handshake works with HTTP. If I understand the Apache mod_ssl implementation correctly, then it's like HTTP STARTTLS. The server sends a HTTP connection upgrade request along a CertRequest TLS message. The client response with an upgrade confirmation along with Certificate, CertificateVerify, and Finish TLS message. |
added a commit
to tiran/curl
that referenced
this issue
Sep 21, 2018
added a commit
to tiran/curl
that referenced
this issue
Sep 21, 2018
added a commit
to tiran/curl
that referenced
this issue
Sep 21, 2018
bagder
closed this
in
b939bc4
Sep 24, 2018
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
tiran commentedSep 21, 2018
Curl does neither call
SSL_CTX_set_post_handshake_auth()norSSL_set_post_handshake_auth()to enable TLS 1.3's post handshake authentication feature. TLS 1.3 does no longer support renegotiation, therefore PHA is required when the server requires TLS client cert auth depending on HTTP method and/or path. OpenSSL 1.1.1 changed PHA to opt-in.I noticed the issue while I was working on PHA support for Python. I wanted to verify my implementation with curl...
Resources: