Re: RFC5077 ticket construction help

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Ok, but I’d like to use TLS rather than Kerberos. I’m wondering if I could do something like this:

 

  • C sends a Client Hello with 0 length Session Ticket to B.
  • B sends back a NewSessionTicket to C in Server Hello.
  • C sets SSL_CTX_sess_set_new_cb(ctx, new_session_cb) and saves the session blob/ticket in the new_session_cb function indexed by the URL of B.
  • A contacts C with the URL of B
  • C looks up session ticket indexed by URL of B
  • C sends A the session ticket.
  • A contact B and sets the ticket using SSL_set_session_ticket_ext(ssl, ticket, ticket size)

 

Feasible? I’m trying something like this now but I can’t get it working.

 

From: openssl-users <openssl-users-bounces@xxxxxxxxxxx> on behalf of Michael Sierchio <kudzu@xxxxxxxxxxxx>
Reply-To: "openssl-users@xxxxxxxxxxx" <openssl-users@xxxxxxxxxxx>
Date: Wednesday, March 28, 2018 at 12:45 PM
To: "openssl-users@xxxxxxxxxxx" <openssl-users@xxxxxxxxxxx>
Subject: [EXTERNAL] Re: RFC5077 ticket construction help

 

 

Since there exists a reference implementation, and the source code is available, why not start there?  The symmetric key protocol is the basis of Kerberos.

 

- M

 

On Wed, Mar 28, 2018 at 9:26 AM, Henderson, Karl via openssl-users <openssl-users@xxxxxxxxxxx> wrote:

Need some help with RFC5077 ticket construction. I’d like to implement a type of Needham-Schroeder protocol where:

 

  • A wants to talk to B
  • A and B have a relationship with C
  • C constructs an RFC5077 ticket and gives it to A so that A can contact B

 

Are there any good examples of how to do this?

 

The problem I think I’m having the most difficulty with is understanding what I need to put into the encrypted_state portion of the session ticket.

 

Thanks,

Karl

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



 

--

"Well," Brahma said, "even after ten thousand explanations, a fool is no wiser, but an intelligent person requires only two thousand five hundred."


- The Mahābhārata

Attachment: smime.p7s
Description: S/MIME cryptographic signature

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux