On 07/06/2022 15:02, Matt Caswell wrote: > > > On 07/06/2022 13:46, Michael Richardson wrote: >> Matt Caswell <matt@xxxxxxxxxxx> wrote: >> > On 06/06/2022 18:08, Christian Schmidt wrote: >> >> Hi, >> >> I am building a server application that allows a user to log >> in by >> >> providing a certificate. In order to do custom checks, I have >> added a >> >> verify callback to my code to check the certificate on top of its >> >> cryptographic features (CA Valid, etc). >> >> If the certificate does not pass my extended checks, I would >> like to >> >> return the access_denied alert as per RFC8446 section 6.2: >> >> access_denied: A valid certificate or PSK was received, but when >> >> access control was applied, the sender decided not to proceed >> with >> >> negotiation. >> >> However, I can't find a way to generate this alert in openssl, >> although >> >> openssl can handle receiving it. >> >> How do I make a callback return a non-defined (as in not >> defined in the >> >> headers) alert? >> >> > This is not currently possible. >> >> > OpenSSL has an internal table which maps verify errors to TLS >> alerts: >> >> > >> https://github.com/openssl/openssl/blob/9f3626f2473bdce53e85eba96e502e950e29e16f/ssl/statem/statem_lib.c#L1350-L1394 >> >> >> > Unfortunately there are no entries in this table that map to the >> > access_denied alert. >> >> Would extensions to this list be welcome? >> Should Christian send a PR? > > I would be happy to review such a PR - although it would only be applied > to master and not 3.0 or 1.1.1. Any PR could only be in the form of > additions to the table (not modifications to existing entries), so as > not to break existing behaviour. By PR, do you mean Problem Report or Pull Request? Because after reading up on it, it seems that a Pull Request would require a CLA, and I am not willing to sign any contract under US law (I have no idea of implications, and a lawyer to explain these is not reasonably affordable for roughly two LOC). The things I know it for are unreasonable laws (I suppose an Access Denied alert might be patentable/copyrightable under US law, while it wouldn't under EU law), ridiculously off compensations (which seems a risk to me - I do no know if someone holds a patent/copyright on the alert from the RFC, and do not know how to check), and violating Europeans' constitutional laws (see the discussion around safe harbor agreements / GDPR). Best regards, Christian
