Handshake should terminate if CertificateVerify failed

[johnshajiang]

在针对RFC 8998的测试中，遇到如下情形。 虽然对CertificateVerify中的签名进行验证时已经报错了，但握手并没有立即中断，最终还显示了一个看起来已经成功握手的信息。

SSL_connect:SSLv3/TLS read server certificate
    CertificateVerify, Length=76
      Signature Algorithm: sm2sig_sm3 (0x0708)
      Signature (len=72): ... ...

Sent Record
Header:
  Version = TLS 1.2 (0x303)
  Content Type = Alert (21)
  Length = 2
write to 0x7f7f90f04080 [0x7f7f92017c00] (7 bytes => 7 (0x7))
0000 - 15 03 03 00 02 02 33                              ......3
    Level=fatal(2), description=decrypt error(51)

SSL3 alert write:fatal:decrypt error
SSL_connect:error in error
4622347776:error:1417B07B:SSL routines:tls_process_cert_verify:bad signature:ssl/statem/statem_lib.c:617:
... ...
... ...
... ...
SSL handshake has read 1349 bytes and written 217 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

[InfoHunter]

实际连接成功了么？还是只是显示的问题？

[johnshajiang]

连接失败了。

[zzl360]

后边这个成功的是不是tls1.3里clienthello retry尝试用别的ciphersuite了？

[johnshajiang]

为什么要尝试别的cipher suite？ CertificateVerify验证与密码套件没有关系吧，是与signature scheme有关。 换了密码套件，还是得失败。

[dongbeiouba]

从输出的信息看，已经显示bad signature，并且最后握手也失败了，符合预期的。

握手没有立即终止具体是指哪里不符合预期？ 建议发送完整的trace信息，方便问题定位。

[johnshajiang]

现在看，应该主要是最后那段信息比较误导人。

New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

[dongbeiouba]

现在看，应该主要是最后那段信息比较误导人。

New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

正常信息输出而已，没看出异常。

[johnshajiang]

既然连接失败了，是不是就不应该显示上面那段信息了？