[openssl-users] Early data based on SNI with OpenSSL 1.1.1

Matt Caswell matt at openssl.org
Mon Oct 23 15:31:02 UTC 2017



On 23/10/17 16:16, Olivier Houchard wrote:
> Hi,
> 
> I'm trying to use OpenSSL 1.1.1 to accept or reject early data based on
> the SNI, and I'm a bit confused on how to do so.
> The problem I have is, I don't know the SNI before the client hello
> callback is called, and at that time it seems to be too late to make a
> decision for early data. Either the callback is called from
> SSL_do_handshake(), and then any call to SSL_read_early_data() will fail
> with SSL_ERROR_SSL, and early data will be rejected, or it is called if
> I call SSL_read_early_data() first, but then early data will be
> considered accepted no matter what.
> 
> I tried returning -1 from the client hello callback, but if called from
> SSL_do_handshake to indicate early data are to be read, it seems to be too
> late to call SSL_read_early_data() anyway, and if called from
> SSL_read_early_data() to indicate we should stop reading early data, it
> mostly works, except as s->early_data_state will be
> SSL_EARLY_DATA_ACCEPT_RETRY, and so any call to SSL_Read() will fail
> because of that test in ssl_read_internal() :
>     if (s->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY
>                || s->early_data_state == SSL_EARLY_DATA_ACCEPT_RETRY) {
> 		            SSLerr(SSL_F_SSL_READ_INTERNAL,
> 			    ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
> 			            return 0;
>     }
> 
> Am I missing something obvious ? Is there any way I can accept or reject
> early data based on the SNI ?

>From the docs:

https://www.openssl.org/docs/manmaster/man3/SSL_set_max_early_data.html

"When a session is created between a server and a client the server will
specify the maximum amount of any early data that it will accept on any
future connection attempt. By default this is approximately 16k. A
server may override this default value by calling
SSL_CTX_set_max_early_data() or SSL_set_max_early_data() to set it for
the whole SSL_CTX or an individual SSL object respectively. Similarly
the SSL_CTX_get_max_early_data() and SSL_get_max_early_data() functions
can be used to obtain the current maximum early data settings for the
SSL_CTX and SSL objects respectively."

So, probably the best way to do this is to set the max early data for
the server CTXs that you don't want to accept early_data to 0. Then any
sessions they issue will not allow early_data to be used. If a client
does attempt to use that session to send early data then it then it will
be automatically rejected.

If that doesn't work for you another way (I think?) to do this would be
to set the max early data for that SSL object (using
SSL_set_max_early_data()) to 0 during the callback.

Matt


More information about the openssl-users mailing list