On 22/11/2018 15:58, Pfluegl, Andreas wrote: > > I expect server_parse_cb() returning 0 to cause the interruption of the connection. > > Can you confirm this? Yes. According to the docs: "If the B<parse_cb> considers the extension data acceptable it must return 1. If it returns 0 or a negative value a fatal handshake error occurs using the TLS alert value specified in B<*al>." https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_add_server_custom_ext.html > > Here I am missing server_parse_cb() (see Server trace scenario 1) When a client receives a HelloRequest message it will send a new ClientHello and attempt to resume the connection. The attempt at resumption does not occur when a reneg is initiated from the client side unless you call SSL_renegotiate_abbreviated() instead of SSL_renegotiate(). If the attempt at resumption is successful then custom extension parsing does not get invoked on the server side. This is by design: https://github.com/openssl/openssl/blob/0fbe8491fc05d280a1f00bfc26dd3c3a6c63f04a/ssl/t1_lib.c#L2314-L2325 Unfortunately the docs in 1.1.0 are a bit lacking on this point. They have been significantly revised and updated in 1.1.1 and hopefully this is a little more obvious. In particular note that the 1.1.1 flag SSL_EXT_IGNORE_ON_RESUMPTION is automatically set when calling SSL_CTX_add_server_custom_ext(). This is so that the behaviour is backwards compatible with 1.1.0: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_add_custom_ext.html In 1.1.1 we have the new function SSL_CTX_add_custom_ext() which (among other things) allows you to control whether the callback is called during resumption or not. See the doc link above. So, in order to solve your problem, I see 2 possible solutions: 1) Upgrade to 1.1.1 and use the new SSL_CTX_add_custom_ext() API. or 2) Invalidate any sessions in the session cache for old connections that were established using the old certificate. You'll need to some additional custom code to track that I imagine. You'll also need to avoid session tickets for that to work. Probably the upgrade to 1.1.1 is your best bet since 1.1.0 is only supported until September 2019 anyway. Matt -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
