On Wed, Sep 01, 2021 at 03:36:36PM +0000, Zeke Evans wrote: > Hi, > > Is there any way to check the status of client authentication sent in a TLS > 1.3 handshake after SSL_connect returns? With TLS 1.2 SSL_connect seems to > always capture the status and return an error code if it failed but not TLS > 1.3. I haven't been able to find a good way to do this after SSL_connect > returns. I have to handle blocking and non-blocking sockets so calling > SSL_read or SSL_peek isn't an option since those could block. If client > authentication happened to fail then calling those methods would work because > they will return an error but if it didn't fail then they could block.
Note that the server is allowed to ignore a client cert that it doesn't like, proceeding with the connection as if the client was unauthenticated. If you need a specific signal that the server believes the client successfully authenticated, that has to be at the application layer. Did you try a zero-length SSL_read()? My recollection is that that gets far enough into the library to see if there are pending alert messages to process. -Ben
