Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Script ssl-cert cannot get server certificate when a client certificate is required #1490

Open
cnotin opened this Issue Feb 20, 2019 · 2 comments

Comments

Projects
None yet
1 participant
@cnotin
Copy link

cnotin commented Feb 20, 2019

Even after fixing #1488, I've observed that the ssl-cert script fails to fetch the server certificate when a SSL client certificate is required.

Without the client certificate, of course we cannot fully connect but we still receive the Server Hello with the server certificate that could be parsed.

Here is the debug output:

NSOCK INFO [0.2920s] nsock_iod_new2(): nsock_iod_new (IOD #1)
NSOCK INFO [0.3630s] nsock_connect_ssl(): SSL connection requested to a.b.c.d:8090/tcp (IOD #1) EID 9
NSOCK INFO [0.3860s] handle_connect_result(): EID 9 error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
NSOCK INFO [0.3860s] nsock_trace_handler_callback(): Callback: SSL-CONNECT ERROR [Input/output error (5)] for EID 9 [a.b.c.d:8090]
NSE: [ssl-cert M:560520e6e748 a.b.c.d:8090] getCertificate error: Failed to connect to server
NSE: Finished ssl-cert M:560520e6e748 against a.b.c.d:8090.

image

@cnotin

This comment has been minimized.

Copy link
Author

cnotin commented Feb 20, 2019

It works fine if I disable the status check after socket:connect in sslcert.lua.
Is this check necessary?
There's already a check below after cert = socket:get_ssl_certificate()

@cnotin

This comment has been minimized.

Copy link
Author

cnotin commented Mar 5, 2019

To test this issue, here is how to quickly create a TLS server that requests a client certificate:
socat -v OPENSSL-LISTEN:443,reuseaddr,fork,verify=1,cert=site.pem -

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.