----- Forwarded Message ----- From: Zlatko Vrastic <vras...@yahoo.com>To:
"openssl-users@openssl.org" <openssl-users@openssl.org>Sent: Friday, October
22, 2021, 03:25:10 PM GMT+2Subject: openssl s_client privatekey engine pkcs11 -
no SSL_connect:SSLv3/TLS write certificate verify
When using
openssl s_client ...... -keyform engine -engine pkcs11 -key 0:00
there is no SSL_connect:SSLv3/TLS write certificate verify step in handshake
protocol
and server rejects connection.
Connection is https get to get token for further communication. During this
https get tls1.2 is used as protocol.
Connecting to server with Windows and Visual Studio https request is good with
pfx or with smart card, we get token.
On Linux openssl+opensc connection with client.pem and privatekey.pem extracted
from pfx certificate is ok, we get token.
When we use smart card with openssl+opensc we get authorisation denied, the ssl
client is not sending SSL_connect:SSLv3/TLS write certificate verify.
Comparing log from ssl, the initial handshake is the same, when we send get
request string, after that handshake is different.
good communication when used client.pem and privatekey.pem
SSL_connect:SSL negotiation finished successfully
SSL_connect:SSL negotiation finished successfully
SSL_connect:SSLv3/TLS read hello request
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
SSL_connect:SSLv3/TLS read server certificate
SSL_connect:SSLv3/TLS read server key exchange
SSL_connect:SSLv3/TLS read server certificate request
SSL_connect:SSLv3/TLS read server done
SSL_connect:SSLv3/TLS write client certificate
SSL_connect:SSLv3/TLS write client key exchange
SSL_connect:SSLv3/TLS write certificate verify
SSL_connect:SSLv3/TLS write change cipher spec
SSL_connect:SSLv3/TLS write finished
SSL_connect:SSLv3/TLS write finished
SSL_connect:SSLv3/TLS read change cipher spec
SSL_connect:SSLv3/TLS read finished
read R BLOCK
HTTP/1.1 200 OK
missing write certificate verify when using gids smartcard: -keyform engine
-engine pkcs11 -key 0:00 (works the same used also: -keyform engine -engine
pkcs11 -key "pkcs11:id=%00;type=private" )
SSL_connect:SSL negotiation finished successfully
SSL_connect:SSL negotiation finished successfully
SSL_connect:SSLv3/TLS read hello request
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
SSL_connect:SSLv3/TLS read server certificate
SSL_connect:SSLv3/TLS read server key exchange
SSL_connect:SSLv3/TLS read server certificate request
SSL_connect:SSLv3/TLS read server done
SSL_connect:SSLv3/TLS write client certificate
SSL_connect:SSLv3/TLS write client key exchange
SSL_connect:SSLv3/TLS write change cipher spec
SSL_connect:SSLv3/TLS write finished
SSL_connect:SSLv3/TLS write finished
SSL_connect:SSLv3/TLS read change cipher spec
SSL_connect:SSLv3/TLS read finished
read R BLOCK
HTTP/1.1 401 Unauthorized
Do You have any suggestions on what to try? We debugged and verified that the
openssl engine pkcs11 through opensc is working good.
Do not know how to specify to s_client to send SSLv3/TLS write certificate
verify. When this is not sent we get rejected from the server.
Another issue we had was with cipher suites. Server usually works with
ECDHE-RSA-AES256-GCM-SHA384.
With openssl installed on linux this cipher is used for communication.
With openssl installed on windows it returns
742F0000:error:0A080006:SSL routines:ssl_generate_param_group:EVP
lib:ssl\s3_lib.c:4727:
742F0000:error:0A00013A:SSL routines:tls_process_ske_ecdhe:unable to find ecdh
parameters:ssl\statem\statem_clnt.c:2140:
this cipher suite is supprted from openssl when checked with ciphers commands.
and later with
New, (NONE), Cipher is (NONE)
We skipped over this with -cipher AESGCM:!ECDHE-RSA-AES256-GCM-SHA384 by
specifying to poenssl not to use this cipher,
communication is swithed to
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256.
But this problem with SSLv3/TLS write certificate verify is the same on linux
and windows.
