Re: ssl3_get_client_certificate: no certificate returned
Dr. Stephen Henson wrote: On Tue, Nov 15, 2011, Tobias Nissen wrote: Dr. Stephen Henson wrote: On Tue, Nov 15, 2011, Tobias Nissen wrote: I'm indirectly using OpenSSL through Net::SSLeay¹, which I use through AnyEvent::TLS². AnyEvent::TLS provides the means to define a custom verification mechanism by setting verify_cb³. Here's an example (keys included): http://paste.scsys.co.uk/159837 If the custom verification callback decides a peer is bad, it shall return 0 and return 1 otherwise. If 0 is returned, this warning is produced: ssl3_get_client_certificate: no certificate returned [...] The warning isn't printed by OpenSSL it is an error code. So perhaps the wrapper is printing the error? I didn't find it in either of the wrapper modules, but I did in OpenSSL: tobi@hal:~/src/openssl-1.0.0e$ rgrep no certificate returned * doc/ssleay.txt:Error because no certificate returned. ssl/ssl_err.c:{ERR_REASON(SSL_R_NO_CERTIFICATE_RETURNED),no certificate returned}, Yes but that's a textual version of the error. OpenSSL does not print it out: an application call is needed to do that. Ah OK. However, I checked with AnyEvent::TLS and Net::SSLeay, neither of those seems to emit this error message. SSLeay, which is what AnyEvent::TLS uses, imports a lot of OpenSSL macros, but not SSL_R_NO_CERTIFICATE_RETURNED. My guess is, that the error is put there by ssl/s3_srvr.c (line 2990, version 1.0.0e) and printed out by SSLeay. Can you confirm this? If that's the case, I'd like to know, how this warning is produced. AFAICS my custom verification callback breaks the verification chain, because of ssl_verify_cert_chain(s,sk) = 0 I still don't quite understand the meaning of the warning message. Can/ should I just live with it or does it indicate a bug (in either OpenSSL, Net::SSLeay or AnyEvent::TLS)? signature.asc Description: PGP signature
Re: ssl3_get_client_certificate: no certificate returned
Dr. Stephen Henson wrote: On Tue, Nov 15, 2011, Tobias Nissen wrote: Dr. Stephen Henson wrote: On Tue, Nov 15, 2011, Tobias Nissen wrote: I'm indirectly using OpenSSL through Net::SSLeay¹, which I use through AnyEvent::TLS². AnyEvent::TLS provides the means to define a custom verification mechanism by setting verify_cb³. Here's an example (keys included): http://paste.scsys.co.uk/159837 If the custom verification callback decides a peer is bad, it shall return 0 and return 1 otherwise. If 0 is returned, this warning is produced: ssl3_get_client_certificate: no certificate returned [...] The warning isn't printed by OpenSSL it is an error code. So perhaps the wrapper is printing the error? I didn't find it in either of the wrapper modules, but I did in OpenSSL: tobi@hal:~/src/openssl-1.0.0e$ rgrep no certificate returned * doc/ssleay.txt:Error because no certificate returned. ssl/ssl_err.c:{ERR_REASON(SSL_R_NO_CERTIFICATE_RETURNED),no certificate returned}, Yes but that's a textual version of the error. OpenSSL does not print it out: an application call is needed to do that. Ah OK. However, I checked with AnyEvent::TLS and Net::SSLeay, neither of those seems to emit this error message. SSLeay, which is what AnyEvent::TLS uses, imports a lot of OpenSSL macros, but not SSL_R_NO_CERTIFICATE_RETURNED. My guess is, that the error is put there by ssl/s3_srvr.c (line 2990, version 1.0.0e) and printed out by SSLeay. Can you confirm this? If that's the case, I'd like to know, how this warning is produced. AFAICS my custom verification callback breaks the verification chain, because of ssl_verify_cert_chain(s,sk) = 0 I still don't quite understand the meaning of the warning message. Can I just live with it or does it indicate a bug (in either OpenSSL, Net::SSLeay or AnyEvent::TLS)? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
ssl3_get_client_certificate: no certificate returned
Hi, I'm indirectly using OpenSSL through Net::SSLeay¹, which I use through AnyEvent::TLS². AnyEvent::TLS provides the means to define a custom verification mechanism by setting verify_cb³. Here's an example (keys included): http://paste.scsys.co.uk/159837 If the custom verification callback decides a peer is bad, it shall return 0 and return 1 otherwise. If 0 is returned, this warning is produced: ssl3_get_client_certificate: no certificate returned It's only a warning which does not seem to impair functionality; no warning is printed if 1 is returned. I've already asked on the AnyEvent mailing list⁴, but the author of AnyEvent::TLS couldn't really nail it down either. Can you help me? Why is this warning printed and what could be done to eliminate the problem? TIA, Tobias ¹ http://search.cpan.org/~mikem/Net-SSLeay-1.42/lib/Net/SSLeay.pm ² http://search.cpan.org/~mlehmann/AnyEvent-6.1/lib/AnyEvent/TLS.pm which I use through AnyEvent::MPRPC, but that shouldn't matter :-) ³ http://search.cpan.org/~mlehmann/AnyEvent-6.1/lib/AnyEvent/TLS.pm#verify_cb ⁴ http://lists.schmorp.de/pipermail/anyevent/2011q4/000203.html signature.asc Description: PGP signature
Re: ssl3_get_client_certificate: no certificate returned
On Tue, Nov 15, 2011, Tobias Nissen wrote: Hi, I'm indirectly using OpenSSL through Net::SSLeay¹, which I use through AnyEvent::TLS². AnyEvent::TLS provides the means to define a custom verification mechanism by setting verify_cb³. Here's an example (keys included): http://paste.scsys.co.uk/159837 If the custom verification callback decides a peer is bad, it shall return 0 and return 1 otherwise. If 0 is returned, this warning is produced: ssl3_get_client_certificate: no certificate returned It's only a warning which does not seem to impair functionality; no warning is printed if 1 is returned. I've already asked on the AnyEvent mailing list???, but the author of AnyEvent::TLS couldn't really nail it down either. Can you help me? Why is this warning printed and what could be done to eliminate the problem? The warning isn't printed by OpenSSL it is an error code. So perhaps the wrapper is printing the error? I don't know about that wrapper but you should set a verify return code using SSL_set_verify_result() and if you want it to fail if no certificate is returned you should also include the flag SSL_VERIFY_FAIL_IF_NO_PEER_CERT Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ssl3_get_client_certificate: no certificate returned
Dr. Stephen Henson wrote: On Tue, Nov 15, 2011, Tobias Nissen wrote: I'm indirectly using OpenSSL through Net::SSLeay¹, which I use through AnyEvent::TLS². AnyEvent::TLS provides the means to define a custom verification mechanism by setting verify_cb³. Here's an example (keys included): http://paste.scsys.co.uk/159837 If the custom verification callback decides a peer is bad, it shall return 0 and return 1 otherwise. If 0 is returned, this warning is produced: ssl3_get_client_certificate: no certificate returned It's only a warning which does not seem to impair functionality; no warning is printed if 1 is returned. I've already asked on the AnyEvent mailing list???, but the author of AnyEvent::TLS couldn't really nail it down either. Can you help me? Why is this warning printed and what could be done to eliminate the problem? The warning isn't printed by OpenSSL it is an error code. So perhaps the wrapper is printing the error? I didn't find it in either of the wrapper modules, but I did in OpenSSL: tobi@hal:~/src/openssl-1.0.0e$ rgrep no certificate returned * doc/ssleay.txt:Error because no certificate returned. ssl/ssl_err.c:{ERR_REASON(SSL_R_NO_CERTIFICATE_RETURNED),no certificate returned}, signature.asc Description: PGP signature
Re: ssl3_get_client_certificate: no certificate returned
On Tue, Nov 15, 2011, Tobias Nissen wrote: Dr. Stephen Henson wrote: On Tue, Nov 15, 2011, Tobias Nissen wrote: I'm indirectly using OpenSSL through Net::SSLeay¹, which I use through AnyEvent::TLS². AnyEvent::TLS provides the means to define a custom verification mechanism by setting verify_cb³. Here's an example (keys included): http://paste.scsys.co.uk/159837 If the custom verification callback decides a peer is bad, it shall return 0 and return 1 otherwise. If 0 is returned, this warning is produced: ssl3_get_client_certificate: no certificate returned It's only a warning which does not seem to impair functionality; no warning is printed if 1 is returned. I've already asked on the AnyEvent mailing list???, but the author of AnyEvent::TLS couldn't really nail it down either. Can you help me? Why is this warning printed and what could be done to eliminate the problem? The warning isn't printed by OpenSSL it is an error code. So perhaps the wrapper is printing the error? I didn't find it in either of the wrapper modules, but I did in OpenSSL: tobi@hal:~/src/openssl-1.0.0e$ rgrep no certificate returned * doc/ssleay.txt:Error because no certificate returned. ssl/ssl_err.c:{ERR_REASON(SSL_R_NO_CERTIFICATE_RETURNED),no certificate returned}, Yes but that's a textual version of the error. OpenSSL does not print it out: an application call is needed to do that. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org