-
Notifications
You must be signed in to change notification settings - Fork 266
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
handshake failed: error:1400A09F:SSL routines:CONNECT_CR_CERT_REQ:length mismatch #950
Comments
The error you are hitting is this error in ssl_tlsext_ocsp_client_parse(): if (ssl_effective_tls_version(s) >= TLS1_3_VERSION) {
if (msg_type == SSL_TLSEXT_MSG_CR) {
/*
* RFC 8446, 4.4.2.1 - the server may request an OCSP
* response with an empty status_request.
*/
if (CBS_len(cbs) == 0)
return 1;
SSLerror(s, SSL_R_LENGTH_MISMATCH);
return 0;
}
... If you comment out the However, RFC 8446, section 4.4.2.1 says this:
The definition of the Now we seem to be stricter than OpenSSL who complete the handshake, but $ gnutls-cli --ocsp -V api.communicalia.com
Processed 134 CA certificate(s).
Resolving 'api.communicalia.com:443'...
Connecting to '52.50.170.116:443'...
*** Fatal error: Error decoding the received TLS packet. So I'd argue this is the server misbehaving, not a LibreSSL bug. Added: Running
Which points at this code in } else if (tls_id == ext_mod_status_request.tls_id) {
if (data_size != 0)
return gnutls_assert_val(
GNUTLS_E_TLS_PACKET_DECODING_ERROR); which is precisely the same check as we have. |
I will turn to server's provider. Thank you very much for your help. |
I don't know what TLS library the server provider is running, but I can reproduce this with a LibreSSL-backed Apache http2 server, so this may well involve a LibreSSL server-side bug. I can work around it, but then there are other issues... I'll get back to you when I have time to look more deeply into it. |
Hello,
I can't connect to server https://api.communicalia.com with LibreSSL. Connection failed on handshake:
I have simple c++ application to try it:
I built it by:
[developer@2d4e2a14d2bc data]# g++ /data/libressl-handshake-test/main.cpp -o handshake-test -I/data/libressl/include -L/data/libressl/lib/ -Wl,-rpath /data/libressl/lib -lcrypto -lssl -ltls
I linked it with different version of LibreSSL (v3.5.3, v3.6.3, v3.7.3, v3.8.2), but handshake to this server has failed with every tested version:
[developer@2d4e2a14d2bc data]# ./handshake-test api.communicalia.com 443 tls_handshake failed: handshake failed: error:1400A09F:SSL routines:CONNECT_CR_CERT_REQ:length mismatch
I found in curl output, that server requires client certificate:
Handshake failed with TLSv1.3. When I downgrade tls version to 1.2, handshake successes.
Why does handshake fail in connection to this server? It is bug in implementation of TLSv1.3 in LibreSSL?
Thanks,
Jakub
The text was updated successfully, but these errors were encountered: