[openssl-dev] cert_cb and TLS tickets
Fedor Indutny
fedor at indutny.com
Sat Dec 10 14:16:39 UTC 2016
Alessandro,
Indeed I just checked BoringSSL's source and it calls cert_cb before
resuming the session. Inviting David Benjamin into this conversation.
David,
Do you have any insights or motivation to share with us? The way BoringSSL
handles session resumption + cert_cb is a correct one in my opinion, and
I'm trying to persuade everyone here in this too :)
Thank you,
Fedor.
On Sat, Dec 10, 2016 at 2:35 PM, Alessandro Ghedini <alessandro at ghedini.me>
wrote:
> On Sat, Dec 10, 2016 at 11:13:48AM +0100, Fedor Indutny wrote:
> > This totally makes sense. Unfortunately, adding a new API method for this
> > means that I'll have to re-introduce ClientHello parser in bud, and make
> a
> > wider use of it in Node.js again.
>
> FWIW, BoringSSL offers an early callback that is passed a semi-parsed CH,
> and
> an API to extract specific extensions from it (though this returns the raw
> unparsed extension body). Something similar could be adopted for OpenSSL.
>
> Whether this should be called in the CH post process phase (immediately
> before
> cert_cb) or much earlier (like BoringSSL) is likely to affect the
> implementation
> though (e.g. I'm not sure if the CH buffer is still available in the post
> process).
>
> Might be worth noting that BoringSSL changed the CH processing recently, by
> moving the session resumption logic after cert_cb, which means cert_cb is
> now
> called every time, but without a SSL_SESSION being available. So calling
> the
> cert_cb unconditionally is not unheard of.
>
> Cheers
>
> --
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20161210/3f72a3c6/attachment.html>
More information about the openssl-dev
mailing list