opensslmicrosoft-edgesmartcardclient-certificatesmtls

mTLS auth fails, unclear why


I'm trying to implement smartcard login on my website. I have NodeJS and my own CA to generate the client cert.

Everything works when the cert is imported in the cert store on the client PC, I can authenticate with that setup. When I try to use the same cert imported into a V3 smartcard:

    Received Record
    Header:
      Version = TLS 1.2 (0x303)
      Content Type = ChangeCipherSpec (20)
      Length = 1
    Received Record
    Header:
      Version = TLS 1.2 (0x303)
      Content Type = ApplicationData (23)
      Length = 25
      Inner Content Type = Handshake (22)
        Certificate, Length=4
          context (len=0): 
          certificate_list, length=0
    
    Sent Record
    Header:
      Version = TLS 1.2 (0x303)
      Content Type = ApplicationData (23)
      Length = 19
      Inner Content Type = Alert (21)
        Level=fatal(2), description=unknown(116)

So why does client send handshake failure, just after it sent over the certs?? I am pretty sure certs are fine locally, this succeeds:

openssl s_client -connect website.com:443 -prexit -cert usercert.pem -key userkey.pem -CAfile fullchain.pem -pass pass:12345

Solution

  • Finally the answer was to disable TLSv1.3...V3 applet cards (as opposed to MD cards) don't support some cipher suite from TLSv1.3. I haven't checked which in any detail.