[openssl-dev] Enhancing ssltest_old.c?
Bill Cox
waywardgeek at gmail.com
Tue Sep 6 02:33:52 UTC 2016
Sorry... stupid auto-send still happens on my Goobuntu latptop, even with
tap-click disabled on the still poorly supported touchpad.
Here's the current PR: https://github.com/openssl/openssl/pull/1538
My feeling is that if we put in the effort to upgrade the new SSL test
harness to understand custom extensions, it might also be a good time to
upgrade the custom extension API. There are a couple of enhancements that
likely have been considered here before:
- Add a way for custom extensions to save/restore state to the streamed
session
- Add a way for custom extensions to see what other extensions have been
negotiated or not.
Right now, custom extensions cannot save state between connections. This
makes many simple extensions impossible to implement using the custom
extension API. Often the server needs to remember the outcome of the
original extension negotiation.
Another issue is that custom extensions get zero knowledge of other
extensions. This makes some things hard to implement. For example, we
would like to stop including a version field in the token binding
extension, and instead just issue a new extension if the binary format
needs to be updated in an incompatible way. What happens if version 1.0
gets rewritten as a native extension, and we later write a new custom
extension to override it? Right now, there is no way to do that, giving
weight to the argument for keeping the version number in the extension. It
is also not possible to ensure that extended-master-secret has been
negotiated before the server add-callback has to commit to sending the
token-binding extension in the server hello, meaning the client must check
both extensions after the handshake completes, which is a bit goofy.
So, what would you think about going forward with a simple upgrade similar
to my PR, while working out what an improved custom extension API should
look llike?
Bill
On Mon, Sep 5, 2016 at 7:12 PM, Bill Cox <waywardgeek at gmail.com> wrote:
> I took a quick look through the new SSL test framework, which looks pretty
> good. I created this pull request to show what I currently propose:
>
>
> On Mon, Sep 5, 2016 at 2:22 PM, Richard Levitte <levitte at openssl.org>
> wrote:
>
>> I think it makes more sense to extend the new SSL test framework...
>>
>> Cheers
>> Richard
>>
>> Bill Cox <waywardgeek at gmail.com> skrev: (5 september 2016 19:14:22 CEST)
>> >I wrote a simple change to custom extensions so that they can be
>> >negotiated
>> >on resume, which is needed by token binding. I put the test for this
>> >change in test/ssltest_old.c, which seems weird, but there are no
>> >custom
>> >extension tests in the new SSL tests AFAIK. Do we still extend the old
>> >tests when there are no equivalent new tests?
>> >
>> >Bill
>> >
>> >
>> >------------------------------------------------------------------------
>>
>> --
>> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>> --
>> openssl-dev mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160905/30994b09/attachment.html>
More information about the openssl-dev
mailing list