SSL mutual authentication

Discussion to talk about software related topics only.
RebootExpert
Posts: 78
Joined: Fri Oct 09, 2020 2:57 pm

Re: SSL mutual authentication

Post by RebootExpert »

Hi Jon,

Thanks for the info. There's an issue I've found. As I set the client authentication to be mandatory, now all the other ports that are listening will mandate for a client certificate to be able to establish a connection.

To be more detail, device is accepting connection at two ports. eg 30000 and 40000 like this:

Code: Select all

function1()
{
	//doesn't require a client cert. eg port 30000
	SSL_accept(listener, &address, NULL, 0); 
}
function2()
{
	// client cert is needed. eg port 40000
	SSL_accept(listener, &address, NULL, 0, true, true, client_ca_cert, client_ca_cert_len, SSL_FILETYPE_PEM, nullptr); 
}
When the device boots up, if function1() get called first, it can establish a connection without a client certificate. However, if function2() get called later, it can also establish a connection without providing a client cert because a "certificate request" is not in server hello message during the handshake. Note, I already modified the cryptolib. Also this explain why I never saw "certificate request" but a reboot fixed it in my previous post in this thread.

If function2() get called first since device boots up, it can make a connection with providing a valid client cert. But now function1() will request a client cert too at port 30000 even it never ask for it. So it failed to make a connection. The "certificate request" now is included in the server hello message.
Post Reply