[openssl-dev] Token binding as a custom extension

Bill Cox waywardgeek at gmail.com
Wed Mar 30 10:06:56 UTC 2016


Hi.  I implemented the token binding TLS negotiation extension in BoringSSL
using the OpenSSL custom extension API.  AFAIK, there are no current
examples of any custom extensions in the OpenSSL code base.  Is this
correct?  While my ulterior motive is to promote token binding (Google pays
me to work on token binding), would the OpenSSL devs find it useful to have
a token binding extension as an example of how to use the OpenSSL custom
extension API?

If so, there is one problem still in the OpenSSL custom extension API,
which was a 1-line fix in BoringSSL.  The server currently checks if the
handshake is a resume, and if so, does not send custom extensions.  This
check can easily be done in the custom extensions, and having it hard-coded
makes the custom extension API impossible to use for extensions like token
binding that require the extension be sent from the server on a resume.
Would there be any interest in changing this behavior in the custom
extension API to support more use cases like token binding?  It is a very
simple change.  If you folks are interested, I'll submit a PR on github.

Thanks,
Bill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160330/6010dbab/attachment.html>


More information about the openssl-dev mailing list