[openssl-dev] Token binding as a custom extension

Salz, Rich rsalz at akamai.com
Wed Mar 30 10:16:21 UTC 2016

Submit a PR

Senior Architect, Akamai Technologies
IM: richsalz at jabber.at Twitter: RichSalz

From: Bill Cox [mailto:waywardgeek at gmail.com]
Sent: Wednesday, March 30, 2016 3:07 AM
To: openssl-dev at openssl.org
Subject: [openssl-dev] Token binding as a custom extension

Hi.  I implemented the token binding TLS negotiation extension in BoringSSL using the OpenSSL custom extension API.  AFAIK, there are no current examples of any custom extensions in the OpenSSL code base.  Is this correct?  While my ulterior motive is to promote token binding (Google pays me to work on token binding), would the OpenSSL devs find it useful to have a token binding extension as an example of how to use the OpenSSL custom extension API?

If so, there is one problem still in the OpenSSL custom extension API, which was a 1-line fix in BoringSSL.  The server currently checks if the handshake is a resume, and if so, does not send custom extensions.  This check can easily be done in the custom extensions, and having it hard-coded makes the custom extension API impossible to use for extensions like token binding that require the extension be sent from the server on a resume.  Would there be any interest in changing this behavior in the custom extension API to support more use cases like token binding?  It is a very simple change.  If you folks are interested, I'll submit a PR on github.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160330/699b7a78/attachment.html>

More information about the openssl-dev mailing list