I looked a bit in detail into the ecpoint format extension stuff.
- Currently, as I said yesterday, one cannot compile openssl with OPENSSL_NO_EC. - I am not sure but it seems to me that the tlsext_ecpointformat_list in the SSL is not freed together with an SSL object, so you have a mem leak unless you disable the EC cipher suites. Well, besides that, I have the feeling that the extension code for the point formats is somewhat strange. - The ssl_prepare_client/serverhello_tlsext routines don't serve a real purpose IMO. They are just called before the correspondingssl_add_client/server... At best, they could be called internally. My goal was to have a small footprint in s3_lib.c There would
be some benefit it a prepare routine would ned to be called very early in the process and some heavy work would be avoided, but I don't think this is the case. - The tests in the prepare routine (are EC ciphers proposed) can be done in that add_client_hello_ext, and, if the extension is added, then just the constant octet string is set in the client hello. - It doesn't need to be remembered as such in the SSL object because it is a constant. At most, a flag bit string list for the supported values can be added to the SSL object (not containing the uncompressed) Thus, when receiving the server hello, one would match the bitstring with the received values, and make whatever decision later concerning certificats. - What is the purpose of keeping the pointformat list in a saved session? If a session is renegotiated, shouldn't all these information concerning ciphers go away? A renego could end with a totally different suite. This is not the same situation as with the hostname extension, where it may happen that the hostname changes, e.g. when a Host: directive occurs in the data stream, and this "state" should not be lost. Comments? --To verify the signature, see http://edelpki.edelweb.fr/ Cela vous permet de charger le certificat de l'autorité; die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.
smime.p7s
Description: S/MIME Cryptographic Signature
