TLS 1.3 interoperability failure with servers that request (optional) client certs. #294
Comments
|
At this point client authentication is not implemented at all for TLS13. |
You may have missed my point. I don't expect to use client authentication. The server asks for optional client certificates, and my client has none so (TLS ≤ 1.2) it successfully continues without them by sending an empty client certificate list. This must continue to work with TLS 1.3. Many (SMTP at least) servers solicit client certificates, but don't require them, clients that have them may get relay access, or be exempt from some anti-spam filters, but authenticated clients are still accepted. Enabling TLS 1.3 breaks unauthenticated connections to servers that solicit (optional) client certificates. |
|
Enabling TLS13 is not supported, the implementation is not finished. |
|
Yes, I understand that it is not finished, I am just testing it lightly, and highlighting places where it does not quite work right yet. I hope that's useful. If not, I can postpone all testing till later... |
|
Three major issues for TLS 1.3 remain as described in #282.
|
|
I also started work on client auth, how far along are you? Perhaps I should stop... |
|
I have it working for the case with no client certificate (server asks, client declines). I have almost all the code for the case that the client has a certificate, but it does not handle the server's signatureAlgorithms extension correctly yet (just ignores it, and hardcodes a choice), and is not yet tested. It does however compile (type checks) and is quite close to complete. |
|
I am polishing up the code now, and adding more detailed comments. |
|
@vdukhovni Your help is welcome to review the implementation. I have same concern about preserving working functionality that's why I try to see how to expand test coverage. Currently we have some corner cases due to delayed handshake termination as well as the ticket mechanism. I opened #296 to get better understanding and #297 to give an example of what is wrong. |
|
@vdukhovni No problem. Please send us a PR for client authentication. |
|
Kazu, are you reachable by Skype or Google Hangouts? Please drop me an email with contact info if you are... |
|
I sent you my gmail address. |
|
Opened #298 closing this issue. |
If I enable TLS13, the handshake with the remote server fails with an "Internal Error" alert from the
hs-tlsclient. OpenSSL's TLS 1.3 interoperates with the server. When I enable SSL state logging in OpenSSL I see:The server solicits (but does not require) a client certificate, and "posttls-finger" sends an empty client certificate message (no client-side certificate is configured).
To make sure I'm on the right track, I've configured my own SMTP server to request certificates on port 587, but not port 25. With that done, the handshake from a client using
hs-tlswith TLS 1.3 enabled fails to port 587, but succeeds to port 25. Both succeed if I disable TLS 1.3.So it looks like client certificate requests are not handled correctly with TLS 1.3, but work with earlier TLS versions.
The text was updated successfully, but these errors were encountered: