Don't call the client_cert_cb immediately in TLSv1.3 (e4562014) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL · GitLab

Commit e4562014 authored Oct 11, 2018 by

Matt Caswell

Don't call the client_cert_cb immediately in TLSv1.3



In TLSv1.2 and below a CertificateRequest is sent after the Certificate
from the server. This means that by the time the client_cert_cb is called
on receipt of the CertificateRequest a call to SSL_get_peer_certificate()
will return the server certificate as expected. In TLSv1.3 a
CertificateRequest is sent before a Certificate message so calling
SSL_get_peer_certificate() returns NULL.

To workaround this we delay calling the client_cert_cb until after we
have processed the CertificateVerify message, when we are doing TLSv1.3.

Fixes #7384

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/7413)

parent 828b5295

Hide whitespace changes

Inline Side-by-side

admin_forge @etsi-cti-admin
mentioned in commit a2388b50
· Jun 19, 2019

mentioned in commit a2388b50

mentioned in commit a2388b50afc5136a1b65d0bf794f0398c31a1acb

Toggle commit list

Please register or to comment