0

I try to configure two servers 'httpd' with TLS1.2 (Client Certificate check enabled)

It works fine on one. But not on the second... I get : "unable to get local issuer certificate"

I tested with the same client certificate. Conf files are identical.

The only thing i notice : "ServerHello" are different.

In case OK : ServerHello display this extensions : server_name (0), renegotiation_info (65,281), ec_point_formats (11), status_request_v2 (17), extended_master_secret (23), supported_versions (43), psk_key_exchange_modes (45) and key_share (51)

In case KO : only : server_name (0), renegotiation_info (65,281), ec_point_formats (11)

If anyone have an idea, it could be helpful.

  • Verify that the server certificate files have the correct content – fuero Feb 16 '21 at 09:24
  • The error is clearly related to the certificates sent by the server. Also, this does not look like a ServerHello, but instead like a ClientHello, i.e. sent from client to server and not the other way. – Steffen Ullrich Feb 16 '21 at 13:11
  • OP: your OK case is 1.3 not 1.2; are these servers supposed to be _exactly_ 1.2 or _minimum_ 1.2? What versions of httpd and openssl? Do you have any kind of frontend or loadbalancer on either or both? Is the _server_ reporting 'unable to get local issuer' or is one or more client(s) doing so? – dave_thompson_085 Feb 17 '21 at 06:38
  • @Steffen: those look like good ServerHellos (for 1.3 and 1.2) to me; ClientHello for 1.2 up should always include 13=sigalgs, and 1.3 would usually include 50=sigalgscerts; EC-capable 1.2 should include 10=curves and 1.3 must include 10=groups; modern clients would often include 16=ALPN. But it is odd for 1.3 server to accept 23=EMS because 1.3 KDF _always_ uses transcript. – dave_thompson_085 Feb 17 '21 at 06:39
  • @dave_thompson_085: thanks (again) for the corrections. – Steffen Ullrich Feb 17 '21 at 07:35

0 Answers0