Hi,
I am using libcurl and OpenSSL to communicate with various webservers, most of
which require client authentication. I am having trouble connecting to one
server that requires TLSv1.2. After the server has sent a Certificate Request,
OpenSSL sends up the client cert (I think) and the server replies with a
Decrypt Error alert. The messages that are sent to the server are (as decoded
by Wireshark):
Client Key Exchange
Client Key Exchange
Certificate Verify
Change Cipher Spec
Encrypted Handshake MessageThe first CKE is 1456 bytes long, which I suspect means it includes the certificate as the PreMaster is only 258 bytes. I am wondering if this is something to do with TLSv1.2, all of the other servers I connect to are happy with TLSv1. If I use the cURL command line tool then it works: ... * SSLv3, TLS handshake, Request CERT (13): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): I have attached ClientCertFail.pcapng which shows the trace of a failure, along with ClientCertFail.keys which contains the keys for that session. (btw, are the strange CKE messages from client -> server simply an artefact of Wireshark's decoding, or do they point to the problem? They don't seem to match cURL's diagnostic output, but I can't see the network capture from cURL as it won't output the session keys) Many thanks, Ben
ClientCertFail.keys
Description: ClientCertFail.keys
ClientCertFail.pcapng
Description: ClientCertFail.pcapng
