[openssl-users] Early data based on SNI with OpenSSL 1.1.1

Olivier Houchard cognet at ci0.org
Thu Oct 26 23:13:44 UTC 2017 

Hi Matt,

Sorry for the late answer.

On Mon, Oct 23, 2017 at 04:31:02PM +0100, Matt Caswell wrote:
> 
> 
> On 23/10/17 16:16, Olivier Houchard wrote:
> > Hi,
> > 
> > I'm trying to use OpenSSL 1.1.1 to accept or reject early data based on
> > the SNI, and I'm a bit confused on how to do so.
> > The problem I have is, I don't know the SNI before the client hello
> > callback is called, and at that time it seems to be too late to make a
> > decision for early data. Either the callback is called from
> > SSL_do_handshake(), and then any call to SSL_read_early_data() will fail
> > with SSL_ERROR_SSL, and early data will be rejected, or it is called if
> > I call SSL_read_early_data() first, but then early data will be
> > considered accepted no matter what.
> > 
> > I tried returning -1 from the client hello callback, but if called from
> > SSL_do_handshake to indicate early data are to be read, it seems to be too
> > late to call SSL_read_early_data() anyway, and if called from
> > SSL_read_early_data() to indicate we should stop reading early data, it
> > mostly works, except as s->early_data_state will be
> > SSL_EARLY_DATA_ACCEPT_RETRY, and so any call to SSL_Read() will fail
> > because of that test in ssl_read_internal() :
> >     if (s->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY
> >                || s->early_data_state == SSL_EARLY_DATA_ACCEPT_RETRY) {
> > 		            SSLerr(SSL_F_SSL_READ_INTERNAL,
> > 			    ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
> > 			            return 0;
> >     }
> > 
> > Am I missing something obvious ? Is there any way I can accept or reject
> > early data based on the SNI ?
> 
> >From the docs:
> 
> https://www.openssl.org/docs/manmaster/man3/SSL_set_max_early_data.html
> 
> "When a session is created between a server and a client the server will
> specify the maximum amount of any early data that it will accept on any
> future connection attempt. By default this is approximately 16k. A
> server may override this default value by calling
> SSL_CTX_set_max_early_data() or SSL_set_max_early_data() to set it for
> the whole SSL_CTX or an individual SSL object respectively. Similarly
> the SSL_CTX_get_max_early_data() and SSL_get_max_early_data() functions
> can be used to obtain the current maximum early data settings for the
> SSL_CTX and SSL objects respectively."
> 
> So, probably the best way to do this is to set the max early data for
> the server CTXs that you don't want to accept early_data to 0. Then any
> sessions they issue will not allow early_data to be used. If a client
> does attempt to use that session to send early data then it then it will
> be automatically rejected.
> 

This didn't seem to do the trick, however,

> If that doesn't work for you another way (I think?) to do this would be
> to set the max early data for that SSL object (using
> SSL_set_max_early_data()) to 0 during the callback.
> 

This definitively did ! Thanks a lot !

Regards,

Olivier

More information about the openssl-users mailing list