On Tue, Sep 11, 2018 at 10:42:02AM +0200, Stefan Eissing wrote: > > Am 10.09.2018 um 10:59 schrieb Joe Orton <jor...@redhat.com>: > > http://svn.apache.org/viewvc?view=revision&revision=1828220 > > - I think this is merged in the branch slightly differently? > > I think this overlaps with a subsequent change of SSL_HAVE_PROTOCOL_TLSV1_3 > vs. SSL_OP_NO_TLSv1_3? Feel free to fix this as you think it's best.
Probably just need to mark it merged, ignore this for now. > > http://svn.apache.org/viewvc?view=revision&revision=1828790 > > http://svn.apache.org/viewvc?view=revision&revision=1828791 > > http://svn.apache.org/viewvc?view=revision&revision=1828792 > > - I think these should be merged too? > > Just done. Thanks! Thanks a lot. Does anybody have successful test results with post-handshake auth? I'm testing against Fedora's OpenSSL 1.1.1pre9 which has merged the changes for https://github.com/openssl/openssl/issues/6933 I'm not able to get a successful PHA exchange, even with a client which explicitly enables PHA. It seems like the test suite will be broken until the Perl stack is patched to enable PHA somehow, which is a massive headache AFAICT. Without the SSL_peek(ssl, peekbuf, 0) after SSL_do_handshake(), OpenSSL is sending the CertificateRequest to the client but doesn't wait to read the response. With the SSL_peek() call I think it successfully completes the "handshake" (and gets the cert) but then hangs waiting for app_data which is never coming, and eventually times out. Anybody got better results? Regards, Joe
