[gnutls-devel] GnuTLS | "certificate_required" alert is unknown (#715)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Mon Feb 25 16:34:20 CET 2019 

New Issue was created.

Issue 715: https://gitlab.com/gnutls/gnutls/issues/715
Author:    Daiki Ueno
Assignee:  

## Description of problem:

The server utilizing post-handshake authentication may send a "certificate_required" alert (116) when the client doesn't send any certificate.  GnuTLS doesn't know that alert currently. 

## Version of gnutls used:

gnutls-3.6.6-1.fc29.x86_64

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)

Fedora

## How reproducible:

Steps to Reproduce:

 * set up apache with post-handshake authentication enabled
```
Alias /aaa/ /var/www/aaa/
<Directory "/var/www/aaa/">
        SSLOptions +StrictRequire
        SSLRequireSSL
        SSLVerifyClient require
        SSLVerifyDepth  10
        SSLOptions +FakeBasicAuth
</Directory>
```
 * connect to the server with gnutls-cli:
```
{ printf 'GET /aaa HTTP/1.1\r\nHost: localhost.localdomain\r\n\r\n'; sleep 10; } | gnutls-cli --x509cafile=Documents/data/ca-cert.pem --post-handshake-auth -d 6 -p 443 localhost.localdomain
```

## Actual results:

```
*** Re-auth was performed.
|<5>| REC[0x5586e0e86ae0]: SSL 3.3 Application Data packet received. Epoch 2, length: 19
|<5>| REC[0x5586e0e86ae0]: Expected Packet Application Data(23)
|<5>| REC[0x5586e0e86ae0]: Received Packet Application Data(23) with length: 19
|<5>| REC[0x5586e0e86ae0]: Decrypted Packet[3] Alert(21) with length: 2
|<5>| REC[0x5586e0e86ae0]: Alert[2|116] - (null) - was received
|<3>| ASSERT: record.c[record_add_to_buffers]:877
|<3>| ASSERT: record.c[record_add_to_buffers]:884
|<3>| ASSERT: record.c[_gnutls_recv_in_buffers]:1567
|<3>| ASSERT: record.c[_gnutls_recv_int]:1766
*** Fatal error: A TLS fatal alert has been received.
*** Received alert [116]: (unknown)
*** Server has terminated the connection abnormally.
```

## Expected results:

116 should be replaced with readable description.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/715
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20190225/a3d2d32e/attachment.html>

More information about the Gnutls-devel mailing list