On Fri, 2016-09-16 at 15:07 +0200, Nikos Mavrogiannopoulos wrote: > Ok. For openconnect client it would be fairly easy to handle this, > only send an extension with fairly static data, as it only sends a > username. Just checking... the idea is to put the client identifier here; the hex string which we're *currently* using in the session-id. Not the hard- coded "psk" string which we currently send as PSK identity. That would be kind of pointless :) > However, there is a catch, we should do that for both > openssl and gnutls. Ocserv would require to be able to parse the TLS > client hello since the extension data are in variable positions, > however that shouldn't be really hard. I could do the ocserv part and > the gnutls part if you do the openssl part :) Yeah, I can register custom SSL extensions with OpenSSL too. > > (Actually, let's not use 'PSK-NEGOTIATE' since we currently use it to > > mean something else. Let's call them... 'PSK-IDENTITY-01' and then > > maybe in the future 'PSK-IDENTITY-RFCxxxx' Or something like that.) > > Let's not change it yet. Since we are experimenting let's keep it for > the current version of the protocol, and if we need again we change > it. OK. -- dwmw2 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5760 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20160916/46a0360b/attachment.bin>
