Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://github.com/openssl/openssl/issues/6933 below:

post-handshake authentication implicit enablement breaks existing applications · Issue #6933 · openssl/openssl · GitHub

With openssl 1.1.1pre8 the post-handshake authentication is explicitly enabled by openssl when
certificate callbacks are set according to SSL_CTX_set_verify manpage. That's an unexpected behavior for existing TLS1.2 applications (in this particular case it breaks python) which fail because:

• server-side assumes that SSL_CTX contains information about client certs directly after the handshake and before any application data is exchanged.
• client applications that only know to handle client cert auth during the handshake, but not when they are sending/receiving application data.
• client applications that assume that OpenSSL asks for client cert password during the handshake.

A backwards compatible alternative (for tls1.2 apps) would be for applications to explicitly enable
post-handshake authentication via flag in SSL_CTX. That way applications written for tls1.2 will work as intended under tls1.3, while applications which can take advantage of post-handshake authentication will still do, but after explicitly enabling it.

t8m, hroncok, tomato42 and stratakis

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4