Client Certificate Request freezes handshake.

[vbickov]

Maybe this issue is related to a particular implementation on a client side.

When Client Verification is enabled like this:

tls_request_client_certificate(ctx); 
SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER,(tls_validation_function)tls_default_verify);

handshake stops after the server sends tls_certificate_request(). The client just does not respond anything.

Is Client Certificate Request/Client Verification stable/tested ?

[eduardsui]

I don't know. Please post some working code in order to debug it. Just tested on the server, it works as expected.

[vbickov]

Well, the working code is pretty simple.

tls_load_private_key(ctx, pkey_buf, pkey_size);
tls_load_certificates(ctx, cert_buf, cert_size);
tls_load_root_certificates(ctx, root_buf, root_size);
//tls_request_client_certificate(ctx); 
SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER,(tls_validation_function)tls_default_verify);
SSL_accept(m_ctx);

Nothing fails, but if tls_request_client_certificate(ctx) is uncommented, then client stops communication after server sent HELLO with tls_certificate_request(). I do not really have time to dig deeper. Maybe the problem is related to the client implementation. The client is proprietary, so I do not know what is going on inside.

[eduardsui]

Please post the entire code, for me to compile it and test it. What client are you using? I've tested it with Firefox and Chrome as clients, and it works.

[eduardsui]

You could try to compile it with -DDEBUG in order to see the handshake flow.

[vbickov]

I'm using your library to implement enhanced security for a non-web app, and handshake occurs in the middle of session. I already posted entire code related to handshake. Debug is enabled. Nothing happens after sending HELLO with tls_certificate_request(). Client is just sitting and waiting for something. I was just curious whether or not you experienced the same issue. You can close the case 'cause you won't be able to reproduce it anyway.

[eduardsui]

Ok. Never happened to me, but I never used client certificates in production (just for testing purposes). I will make some tests with openssl client to check it further.