TLS 1.3 certificate authentication fails with "post-handshake" error.

celane23

celane23 last edited by

TLS 1.3 "cannot perform post-handshake authentication" when using client certificate authentication.

opera-stable-101.0.4843.58-0.x86_64 on Fedora 36

Web page served on Apache httpd-2.4.37-56
OpenSSL 1.1.1k
on AlmaLinux 8.7
(I'm running this node, so can change the config to test TLS v1.3 functionality)

Works fine doing client certificate authentication with Apache config line:
SSLProtocol -all +TLSv1.2
but error shows up with
SSLProtocol -all +TLSv1.2 +TLSv1.3
Firefox seems to have a "config setting" to allow post-handshake authentication that
prevents this problem, but if Opera has such a flag, it' very well hidden.

It's only a matter of time before TLSv1.2 becomes insecure, so having the full suite of capabilities on TLSv1.3 is essential.

fonm

fonm last edited by fonm

opera-stable --tls1.3 --ssl-version-min 1.3

fonm

fonm @fonm last edited by

@fonm said in TLS 1.3 certificate authentication fails with "post-handshake" error.:

opera-stable --tls1.3 --ssl-version-min 1.3

opera-stable --tls1.3 --ssl-version-min="tls1.3"

celane23

celane23 @fonm last edited by leocg

@fonm
your suggestion doesn't fix the "post-handshake" error with TLS 1.3, and in addition causes many other websites (including This one!) to fail, because they are not running TLS 1.3.