Re: TLS 1.3 Early data

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

seconds after I send the previous mail, I found the bug in my code. It is
working with Benjamin's suggestion.

Thanks
Jens

On 12/11/2022 11:18, Dirk Menstermann wrote:
Hi Benjamin,

thanks for your response. I updated to 111s and replaced the SNI callback with
the ClientHello callback as suggested, but still no luck. So far FF does not
send early data if it was not configured before the handshake started.
Do you have another idea?

Best,
Jens

On 05/11/2022 21:12, Benjamin Kaduk wrote:
On Sat, Nov 05, 2022 at 11:50:18AM +0100, Dirk Menstermann wrote:
Hello,

I did few experiments with early data but was not successful in solving my
exotic use case: "Using early data dependent on the SNI"

I control the server (linux, supports http2) based on OpenSSL 111q and use a
recent firefox as client:

1) Setting SSL_CTX_set_max_early_data in the SSL_CTX* works (FF sends early
data)
2) Setting SSL_set_max_early_data on the just created SSL* works (FF sends early
data)
3) Setting SSL_set_max_early_data in the SNI callback during the handshake does
not work (FF does not send early data)

I guess there is a dirty way to "peek" into the client hello and parse it
without OpenSSL, extracting the SNI and make it then like in 2), but I wonder if
there is a better way.

Any idea?

The SNI callback runs far too late for this purpose (and, to be honest, a lot of
other purposes).  You should be able to use the client_hello callback for it,
though
(https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_client_hello_cb.html).

Note that SSL_get_servername() does not provide something useful within the
client hello callback execution and you'll have to do something like
https://github.com/openssl/openssl/blob/master/test/helpers/handshake.c#L146-L198
in order to access the provided SNI value from the client.

-Ben






[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux