[Help-gnutls] client certificate authentication
Tristan Hill
stan at saticed.me.uk
Sun Jan 25 12:37:23 CET 2009
I have done some more investigation with ssldump:
New TCP connection #4: localhost.localdomain(49051) <->
localhost.localdomain(443)
4 1 0.0047 (0.0047) C>SV3.2(99) Handshake
ClientHello
Version 3.2
4 2 0.0135 (0.0088) S>CV3.1(74) Handshake
ServerHello
Version 3.1
4 3 0.0135 (0.0000) S>CV3.1(1534) Handshake
Certificate
4 4 0.0135 (0.0000) S>CV3.1(397) Handshake
ServerKeyExchange
4 5 0.0135 (0.0000) S>CV3.1(4) Handshake
ServerHelloDone
4 6 0.0803 (0.0667) C>SV3.1(134) Handshake
ClientKeyExchange
4 7 0.1180 (0.0376) C>SV3.1(1) ChangeCipherSpec
4 8 0.1180 (0.0000) C>SV3.1(256) Handshake
4 9 0.1185 (0.0005) S>CV3.1(1) ChangeCipherSpec
4 10 0.1185 (0.0000) S>CV3.1(48) Handshake
4 11 0.1295 (0.0110) C>SV3.1(368) application_data
4 12 0.1301 (0.0005) S>CV3.1(32) Handshake
4 13 0.1491 (0.0190) C>SV3.2(192) Handshake
4 14 0.1494 (0.0002) S>CV3.1(32) Alert
4 0.1495 (0.0001) S>C TCP FIN
4 0.2651 (0.1156) C>S TCP FIN
The V3.2 on the final handshake looked suspicious to me (appears to
matches the hexdump in the gnutls debug output from the original post
however). I assume the final two handshakes are CertificateRequest and
Certificate messages.
I have tried removing GNUTLS_TLS1_1 from the protocol_priority array in
gnutls_priority.c and this seems to allow a successful connection
authenticating with a client certificate.
I'm unsure if this is valid behaviour from openssl however.
Thanks
Tristan
More information about the Gnutls-help
mailing list