From: "hsbt (Hiroshi SHIBATA)" Date: 2021-11-30T04:50:59+00:00 Subject: [ruby-core:106324] [Ruby master Feature#15353] Support client certificates with TLS 1.3 and OpenSSL 1.1.1 Issue #15353 has been updated by hsbt (Hiroshi SHIBATA). Status changed from Open to Closed This feature was merged at https://github.com/ruby/openssl/pull/239 ---------------------------------------- Feature #15353: Support client certificates with TLS 1.3 and OpenSSL 1.1.1 https://bugs.ruby-lang.org/issues/15353#change-94955 * Author: mkauf (Michael Kaufmann) * Status: Closed * Priority: Normal ---------------------------------------- A TLS 1.3 server can request a client certificate after the handshake. Clients tell the server during the handshake whether they support this feature. In OpenSSL 1.1.1, this feature is enabled with the functions SSL_CTX_set_post_handshake_auth() or SSL_set_post_handshake_auth(). In curl, it has been implemented with this commit: https://github.com/curl/curl/commit/b939bc47b27cd57c6ebb852ad653933e4124b452 To test this, OpenSSL's "s_server" tool can be used. Start it with: openssl s_server -accept 1234 -cert MyRootCA.pem -key MyRootCA.key -CAfile MyRootCA.pem Then start the test client (see attachment): ./client.rb Now press the key "c" and press ENTER in openssl s_server. Currently, this message is printed: Failed to initiate request 139785143845312:error:14268117:SSL routines:SSL_verify_client_post_handshake:extension not received:ssl/ssl_lib.c:5477: This means that the client does not support post-handshake authentication. Note: The certificates have been created as explained here: https://kb.op5.com/pages/viewpage.action?pageId=19073746#sthash.CeFw2fer.dpbs ---Files-------------------------------- client.rb (387 Bytes) MyClient1.key (1.64 KB) MyClient1.pem (1.25 KB) MyRootCA.key (1.64 KB) MyRootCA.pem (1.35 KB) -- https://bugs.ruby-lang.org/ Unsubscribe: