On Tue, May 28, 2002 at 02:59:50PM +0200, Sharon Hezy wrote:
> I'm trying to connect https site on IIS server using my applicative OpenSSL
> client;
> the site is defined as "require SSL channel" and "accept client
> certificate". It means that I
> have to call the site using SSL, but I don't have to pass client certificate
> (it's "accept", not "require").
> So, I started the handshake without supplying client with certificate. IIS
> responded by "500 - Internal Server Error"
> (Actually, he didn't responded at all, but I saw the error code in its log).
Internal Server Error may mean everything, especially it might mean that
IIS had an internal error that has nothing to do with OpenSSL at all.
> Then, I decided to check the client against OpenSSL server : I ran s_server
> (the sample server)
> and checked my client against it - it worked fine in both cases ("accept"
> and "require").So, it seems that
> IIS and OpenSSL servers doing handshake differently. So, I decided to check
> the handshake itself
> (by looking on types of messages that client receives from the server during
> handshake, in both OpenSSL and IIS handshakes).
>
> And this is what I saw:
> In OpenSSL after sending server certificate, server sending certificate
> request (to get client certificate) - it
> doesn't matter at this step if the case is "accept" or "require" - it will
> matter later to the server but not to the
> client and not now. So, client read servers' certificate request and sending
> back certificate message (in my case,
> with empty certificate). And handshake finishes fine and connection goes on.
>
> In IIS, on the other hand, server sending its certificate and then sending
> "SERVER_DONE" message, which means
> that IIS even not trying to ask for certificate from client.
Well, if IIS decides to do so.
> So, I guess, that maybe IIS asking for re-handshake just to ask for client
> certificate ? Is it right?
> If it is - I have two questions:
> 1. How can I support re-handshake in my client? (Maybe code examples ?)
re-handshaking is implemented inside the OpenSSL library and will occur
automatically. Your application will hardly know unless it really tries
to find out :-)
> 2. How can I change this behavior of IIS? (if somebody knows...)
>
> If my guess not seems to be right - maybe somebody can enlighten me?
Please give s_client with the "-bugs" option a try. It will enable several
bug workarounds (SSL_OP_ALL, if you intend to use SSL_CTX_set_options()).
I however don't know, whether this helps.
In any case I consider an "internal server error" to be a problem of your
IIS. See, whether accessing with Netscape, IE etc works and check out
the handshake for comparison. See, whether there are software updates
available for IIS. Or even better: give another good webserver a try:
Apache :-)
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
