20 Dec
2017
20 Dec
'17
1:41 a.m.
Hi. On 19.12.2017 20:48, Alan DeKok wrote: > If it can't verify the CA or server cert, OpenSSL fails, and we never get to check the client cert. > > When the client cert gets printed, the fields get printed as "TLS-Client-Cert-Serial", not as "TLS-Cert-Serial" Hmm. There is no TLS-Client-Cert-Serial in the debug log indeed. So you're saying that 1) FR gets client cert from the client (not a full chain in our case, see capture) 2) FR tries to check full cert chain and OpenSSL finds the issuer of that client cert has wrong OIDs and raise an error flag. Right? -- Boris Lytochkin Yandex NOC +7 (495) 739 70 00 ext. 7671