Re: TLS Extension support - Server Name Indication

2005-10-20 Thread Bodo Moeller 
On Thu, Oct 13, 2005 at 07:23:29PM +0200, Peter Sylvester wrote:

 I have put a version of openssl that supports the TLS servername extension
 into our web server. It is based on a openssl development snapshot of 
 last week.
 We have split of and simplified the code that was done together with SRP
 last year, an,d corrected known bugs.
 
 See http://www.edelweb.fr/EdelKey/files/openssl-0.9.8+SERVERNAME.tar.gz
 
 see also http://www.edelweb.fr/EdelKey/
 
 The snapshot was one day before the 0.9.8a announcement, [...]

 basically s_client and s_server have been slighlty enhanced and in ssl
 there the modules that have OPENSSL_NO_TLSEXT contain the new
 functionality.
 In the s23_lib.c it is possible to have anounce  a TLS extension and 
 to ignore it  on the server side as with s3_lib.
 
 There is one functionality which is not necessary to support the servername
 extension, but only to allow a renegotiation of a session using another
 servername, e;g. when a web server received a Host:  This is not yet
 fully tested, and I am not sure whether the implemenation is good.
 The idea is to switch the ssl-ctx point to another context. The reference
 counting for the ctx is simple, but during an SSL_new there is some
 data cached down into the SSL, and, in particular the interesting
 one, the server's certificate. It may not be necessary to switch the
 actual CTX, but rather change the SSL to cache from the other CTX.

Great!  Can you provide your changes in 'diff -u' format, relative to
the snapshot it was based on?

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: TLS Extension support - Server Name Indication

2005-10-13 Thread Peter Sylvester 

Dear OpenSSL developpers,

I have put a version of openssl that supports the TLS servername extension
into our web server. It is based on a openssl development snapshot of 
last week.

We have split of and simplified the code that was done together with SRP
last year, an,d corrected known bugs.

See http://www.edelweb.fr/EdelKey/files/openssl-0.9.8+SERVERNAME.tar.gz

see also http://www.edelweb.fr/EdelKey/

The snapshot was one day before the 0.9.8a announcement, I think it
contains the recent vulerability patch.

I invite the core developers to take a look on it:

basically s_client and s_server have been slighlty enhanced and in ssl
there the modules that have OPENSSL_NO_TLSEXT contain the new
functionality.
In the s23_lib.c it is possible to have anounce  a TLS extension and 
to ignore it  on the server side as with s3_lib.


There is one functionality which is not necessary to support the servername
extension, but only to allow a renegotiation of a session using another
servername, e;g. when a web server received a Host:  This is not yet
fully tested, and I am not sure whether the implemenation is good.
The idea is to switch the ssl-ctx point to another context. The reference
counting for the ctx is simple, but during an SSL_new there is some
data cached down into the SSL, and, in particular the interesting
one, the server's certificate. It may not be necessary to switch the
actual CTX, but rather change the SSL to cache from the other CTX.


regards and thanks for looking at it; sorry for the lengthly message.

Peter

Cesc wrote:


Hi,
 
While discussing the proper implementation for TLS support for 
(open)ser SIP proxy (currently using OpenSSL), we came up with somehow 
a showstopper: when the server serves multiple domains, we'd like to 
present a different certificate depending on which domain the incoming 
message is directed to. The option of using a different port per 
domain is an option, but not the best one.
So, my question is, does openssl implement TLS extensions, as defined 
in RFC 3546, specially section 3.1 - server name identification? 
This way, the tls client establishing the tls connection could 
announce the proxy it is connecting to, thus solving all the 
multi-domain problems.

We heard that it is there in gnutls, what about openssl?
 
And, now that i started, what TLS Extensions does openssl support?
 
Regards,
 
Cesc




--
To verify the signature, see http://edelpki.edelweb.fr/ 
Cela vous permet de charger le certificat de l'autorité; 
die Liste mit zurückgerufenen Zertifikaten finden Sie da auch. 



smime.p7s
Description: S/MIME Cryptographic Signature