New thread: https://forums.bitfire.at/post/14019
Client certificates + TLSv1.3
When apache server is set with SSLVerifyClient require
and TLSv1.3 then DAVx5 (download of yesterday) connection throw an error: “SSL_verify_client_post_handshake:extension not received .” This is related to a change in TLSv1.3 doing ‘post-handshake’ operation rather than a ‘renegotiation’
@jose Does TLS 1.3 now support client certificates? The last time I had a look it didn’t, so DAVx⁵ + client certificates can only be used with TLS 1.2 at the moment.
@rfc2822 Yes TLSv1.3 support client certificates (can check with openssl s_client) – yes DAVx5 works if the protocol of the server is downgraded to TLSv1.2. However, when the server announce TLSv1.3 it is used by Android and DAVx5 no more works
@jose Ok. Someone would have to check whether this works with current okhttp + Conscrypt versions and then TLS 1.3 could be activated for client certificates again.