subject:"\[openssl\-users\] SNI callback"

Re: [openssl-users] SNI callback

2018-11-28 Thread Viktor Dukhovni

> On Nov 28, 2018, at 3:48 PM, Jeremy Harris  wrote:
> 
> Using SSL_CTX_set_tlsext_servername_callback()
> when the called routine returns SSL_TLSEXT_ERR_NOACK
> I was expecting the handshake to fail.  It carries
> on; am I doing something wrong?

For an SMTP server, SNI values that don't match are not unexpected,
given that e.g. with DANE the DANE-aware clients will send the TLSA
base domain, while non-DANE clients will send the original MX hostname,
which may be different.

So while it is interesting to test failing on SNI mismatch, please DO NOT
fail handshakes on SNI mismatch in SMTP.

-- 
Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] SNI callback

2018-11-28 Thread Jeremy Harris

On 28/11/2018 21:03, Benjamin Kaduk via openssl-users wrote:
> On Wed, Nov 28, 2018 at 08:48:10PM +, Jeremy Harris wrote:
>> OpenSSL 1.1.1 FIPS  11 Sep 2018
>> RHEL 8.0 beta
>>
>> Using SSL_CTX_set_tlsext_servername_callback()
>> when the called routine returns SSL_TLSEXT_ERR_NOACK
>> I was expecting the handshake to fail.  It carries
>> on; am I doing something wrong?
> 
> NOACK is basically "pretend that there wasn't a callback here";
> you should probably use SSL_TLSEXT_ERR_ALERT_FATAL to abort the
> connection if you want the handshake to fail.

Gotcha.
- Thanks

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] SNI callback

2018-11-28 Thread Benjamin Kaduk via openssl-users

On Wed, Nov 28, 2018 at 08:48:10PM +, Jeremy Harris wrote:
> OpenSSL 1.1.1 FIPS  11 Sep 2018
> RHEL 8.0 beta
> 
> Using SSL_CTX_set_tlsext_servername_callback()
> when the called routine returns SSL_TLSEXT_ERR_NOACK
> I was expecting the handshake to fail.  It carries
> on; am I doing something wrong?

NOACK is basically "pretend that there wasn't a callback here";
you should probably use SSL_TLSEXT_ERR_ALERT_FATAL to abort the
connection if you want the handshake to fail.

-Ben
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] SNI callback

2018-11-28 Thread Jeremy Harris

OpenSSL 1.1.1 FIPS  11 Sep 2018
RHEL 8.0 beta

Using SSL_CTX_set_tlsext_servername_callback()
when the called routine returns SSL_TLSEXT_ERR_NOACK
I was expecting the handshake to fail.  It carries
on; am I doing something wrong?
-- 
Thanks,
  Jeremy
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] SNI callback

Re: [openssl-users] SNI callback

Re: [openssl-users] SNI callback

[openssl-users] SNI callback

4 matches

Site Navigation

Mail list logo

Footer information