openssl: tls_construct_server_key_exchange:internal error / tls_process_server_certificate:length mismatch
We’re running into an issue in OpenSSL 1.1.1+ where we’re trying to change the key/cert based on SNI and ALPN (the code worked with previous releases). For compat with earlier OpenSSL versions we’re using SSL_set_SSL_CTX. The issue only seems to happen when the original context is not TLS 1.3. If the server uses TLS1.3 then everything seems to work out…
The server side reports:
starttls: error:141EC044:SSL routines:tls_construct_server_key_exchange:internal error
Client side reports:
140620744139200:error:1416F09F:SSL routines:tls_process_server_certificate:length mismatch:…/ssl/statem/statem_clnt.c:1848:
Test case here: https://gist.github.com/james-callahan/7f021533ad20ed107938885f2304b43e#file-test-server-lua
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Comments: 16 (15 by maintainers)
Commits related to this issue
- fix(templates) turn on TLSv1.3 This acts as a workaround for https://github.com/openssl/openssl/issues/7660 — committed to james-callahan/kong by james-callahan 6 years ago
- fix(templates) enable TLSv1.3 in ssl_protocols directive This acts as a workaround for https://github.com/openssl/openssl/issues/7660 From #4046 — committed to Kong/kong by james-callahan 6 years ago
I think this would be the right fix? https://github.com/openssl/openssl/compare/master...james-callahan:7660-alpn_select-cert-change
I’d PR it but I’m having trouble writing a test for it.