ssl3_get_client_certificate: no certificate returned

[Tobias Nissen]

Hi,

I'm indirectly using OpenSSL through Net::SSLeay¹, which I use through
AnyEvent::TLS². AnyEvent::TLS provides the means to define a custom
verification mechanism by setting verify_cb³. Here's an example (keys
included):

http://paste.scsys.co.uk/159837

If the custom verification callback decides a peer is bad, it shall
return 0 and return 1 otherwise. If 0 is returned, this warning is
produced:

ssl3_get_client_certificate: no certificate returned

It's only a warning which does not seem to impair functionality; no
warning is printed if 1 is returned.

I've already asked on the AnyEvent mailing list⁴, but the author of
AnyEvent::TLS couldn't really nail it down either. Can you help me?
Why is this warning printed and what could be done to eliminate the
problem?

TIA,
Tobias

¹ http://search.cpan.org/~mikem/Net-SSLeay-1.42/lib/Net/SSLeay.pm
² http://search.cpan.org/~mlehmann/AnyEvent-6.1/lib/AnyEvent/TLS.pm
which I use through AnyEvent::MPRPC, but that shouldn't matter :-)
³ http://search.cpan.org/~mlehmann/AnyEvent-6.1/lib/AnyEvent/TLS.pm#verify_cb
⁴ http://lists.schmorp.de/pipermail/anyevent/2011q4/000203.html

[Dr. Stephen Henson]

On Tue, Nov 15, 2011, Tobias Nissen wrote:

> Hi,
>

> I'm indirectly using OpenSSL through Net::SSLeayą, which I use through

> AnyEvent::TLS˛. AnyEvent::TLS provides the means to define a custom

> verification mechanism by setting verify_cbł. Here's an example (keys

> included):
>
> http://paste.scsys.co.uk/159837
>
> If the custom verification callback decides a peer is bad, it shall
> return 0 and return 1 otherwise. If 0 is returned, this warning is
> produced:
>
> ssl3_get_client_certificate: no certificate returned
>
> It's only a warning which does not seem to impair functionality; no
> warning is printed if 1 is returned.
>

> I've already asked on the AnyEvent mailing list???, but the author of

> AnyEvent::TLS couldn't really nail it down either. Can you help me?
> Why is this warning printed and what could be done to eliminate the
> problem?
>

The warning isn't printed by OpenSSL it is an error code. So perhaps the
wrapper is printing the error?

I don't know about that wrapper but you should set a verify return code using
SSL_set_verify_result() and if you want it to fail if no certificate is
returned you should also include the flag SSL_VERIFY_FAIL_IF_NO_PEER_CERT

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

[Tobias Nissen]

Dr. Stephen Henson wrote:
> On Tue, Nov 15, 2011, Tobias Nissen wrote:

>> I'm indirectly using OpenSSL through Net::SSLeay¹, which I use

>> through AnyEvent::TLS². AnyEvent::TLS provides the means to define

>> a custom verification mechanism by setting verify_cb³. Here's an

>> example (keys included):
>>
>> http://paste.scsys.co.uk/159837
>>
>> If the custom verification callback decides a peer is bad, it shall
>> return 0 and return 1 otherwise. If 0 is returned, this warning is
>> produced:
>>
>> ssl3_get_client_certificate: no certificate returned
>>
>> It's only a warning which does not seem to impair functionality; no
>> warning is printed if 1 is returned.
>>
>> I've already asked on the AnyEvent mailing list???, but the author
>> of AnyEvent::TLS couldn't really nail it down either. Can you help
>> me? Why is this warning printed and what could be done to eliminate
>> the problem?
>
> The warning isn't printed by OpenSSL it is an error code. So perhaps
> the wrapper is printing the error?

I didn't find it in either of the wrapper modules, but I did in OpenSSL:

tobi@hal:~/src/openssl-1.0.0e$ rgrep "no certificate returned" *
doc/ssleay.txt:Error because no certificate returned.
ssl/ssl_err.c:{ERR_REASON(SSL_R_NO_CERTIFICATE_RETURNED),"no certificate returned"},

[Dr. Stephen Henson]

On Tue, Nov 15, 2011, Tobias Nissen wrote:

> Dr. Stephen Henson wrote:
> > On Tue, Nov 15, 2011, Tobias Nissen wrote:

> >> I'm indirectly using OpenSSL through Net::SSLeayą, which I use

> >> through AnyEvent::TLS˛. AnyEvent::TLS provides the means to define

> >> a custom verification mechanism by setting verify_cbł. Here's an

> >> example (keys included):
> >>
> >> http://paste.scsys.co.uk/159837
> >>
> >> If the custom verification callback decides a peer is bad, it shall
> >> return 0 and return 1 otherwise. If 0 is returned, this warning is
> >> produced:
> >>
> >> ssl3_get_client_certificate: no certificate returned
> >>
> >> It's only a warning which does not seem to impair functionality; no
> >> warning is printed if 1 is returned.
> >>
> >> I've already asked on the AnyEvent mailing list???, but the author
> >> of AnyEvent::TLS couldn't really nail it down either. Can you help
> >> me? Why is this warning printed and what could be done to eliminate
> >> the problem?
> >
> > The warning isn't printed by OpenSSL it is an error code. So perhaps
> > the wrapper is printing the error?
>
> I didn't find it in either of the wrapper modules, but I did in OpenSSL:
>
> tobi@hal:~/src/openssl-1.0.0e$ rgrep "no certificate returned" *
> doc/ssleay.txt:Error because no certificate returned.
> ssl/ssl_err.c:{ERR_REASON(SSL_R_NO_CERTIFICATE_RETURNED),"no certificate returned"},

Yes but that's a textual version of the error. OpenSSL does not print it out:
an application call is needed to do that.

[Tobias Nissen]

Dr. Stephen Henson wrote:
> On Tue, Nov 15, 2011, Tobias Nissen wrote:
>> Dr. Stephen Henson wrote:
>>> On Tue, Nov 15, 2011, Tobias Nissen wrote:

>>>> I'm indirectly using OpenSSL through Net::SSLeay¹, which I use

>>>> through AnyEvent::TLS². AnyEvent::TLS provides the means to

>>>> define a custom verification mechanism by setting verify_cb³.

>>>> Here's an example (keys included):
>>>>
>>>> http://paste.scsys.co.uk/159837
>>>>
>>>> If the custom verification callback decides a peer is bad, it
>>>> shall return 0 and return 1 otherwise. If 0 is returned, this
>>>> warning is produced:
>>>>
>>>> ssl3_get_client_certificate: no certificate returned

[...]

>>> The warning isn't printed by OpenSSL it is an error code. So
>>> perhaps the wrapper is printing the error?
>>
>> I didn't find it in either of the wrapper modules, but I did in
>> OpenSSL:
>>
>> tobi@hal:~/src/openssl-1.0.0e$ rgrep "no certificate returned" *
>> doc/ssleay.txt:Error because no certificate returned.
>> ssl/ssl_err.c:{ERR_REASON(SSL_R_NO_CERTIFICATE_RETURNED),"no
>> certificate returned"},
>
> Yes but that's a textual version of the error. OpenSSL does not print
> it out: an application call is needed to do that.

Ah OK. However, I checked with AnyEvent::TLS and Net::SSLeay, neither
of those seems to emit this error message. SSLeay, which is what
AnyEvent::TLS uses, imports a lot of OpenSSL macros, but not
SSL_R_NO_CERTIFICATE_RETURNED. My guess is, that the error is put there
by ssl/s3_srvr.c (line 2990, version 1.0.0e) and printed out by SSLeay.

Can you confirm this? If that's the case, I'd like to know, how this
warning is produced. AFAICS my custom verification callback "breaks"
the verification chain, because of

ssl_verify_cert_chain(s,sk) <= 0

I still don't quite understand the meaning of the warning message. Can/
should I just live with it or does it indicate a bug (in either OpenSSL,
Net::SSLeay or AnyEvent::TLS)?

[Tobias Nissen]

I just live with it or does it indicate a bug (in either OpenSSL,
Net::SSLeay or AnyEvent::TLS)?