Hi all, some time ago we wrote about a general framework to implement TLS Extensions and Supplemental Data messages.
We are now dealing with errors/failures, and the related message to be send as part of the TLS Alert protocol. Let's begin with the simpler case: TLS Extensions. Since there are already examples, it seems clear that an extension can fail whenever it wants (still within the TLS Handshake) and it usually fails with: - SSLerr for local output - ssl3_send_alert() to notify to the peer. The error is usually an SSL_AD_HANDSHAKE_FAILURE (or maybe an internal error). That's why we plan to: - let an extension call SSLerr - let an extension to return an error code, which our framework will send through ssl3_send_alert(). Any comment on that? Next step, Supplemental Data. By RFC, SD should not "compromise" the Handshake protocol: Information provided in a supplemental data object MUST be intended to be used exclusively by applications and protocols above the TLS protocol layer. Any such data MUST NOT need to be processed by the TLS protocol. So we process SD after the handshake, e.g. in s3_srvc.c in the very last line of ssl3_accept() before returning (resp. on client side in ssl3_connect()). The point is: are we allowed to use the Alert protocol in order to notify to the peer that the verification of SD failed? In case, what error message should be appropriate? We planned to implement SD as extensions, this means: - SD can locally output errors with SSLerr - SD can return an error code, which will be forwarded to the peer by our framework. Shall we restrict the allowed return error codes? Just to give an example of usage, we are designing an extension which: - on client side negotiates a single SD entry, with a digital signature on some data. - on server side verifies the client's digital signature, and abort the close the channel in case of failure. Best regards -- Emanuele Cesena <emanuele.ces...@gmail.com> http://ecesena.dyndns.org Il corpo non ha ideali ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
