On 07/06/2022 15:02, Matt Caswell wrote:
>
>
> On 07/06/2022 13:46, Michael Richardson wrote:
>> Matt Caswell wrote:
>> > On 06/06/2022 18:08, Christian Schmidt wrote:
>> >> Hi,
>> >> I am building a server application that allows a user to log
>> in by
>> >> providing a certificate. In order to do custom checks, I have
>> added a
>> >> verify callback to my code to check the certificate on top of its
>> >> cryptographic features (CA Valid, etc).
>> >> If the certificate does not pass my extended checks, I would
>> like to
>> >> return the access_denied alert as per RFC8446 section 6.2:
>> >> access_denied: A valid certificate or PSK was received, but when
>> >> access control was applied, the sender decided not to proceed
>> with
>> >> negotiation.
>> >> However, I can't find a way to generate this alert in openssl,
>> although
>> >> openssl can handle receiving it.
>> >> How do I make a callback return a non-defined (as in not
>> defined in the
>> >> headers) alert?
>>
>> > This is not currently possible.
>>
>> > OpenSSL has an internal table which maps verify errors to TLS
>> alerts:
>>
>> >
>> https://github.com/openssl/openssl/blob/9f3626f2473bdce53e85eba96e502e950e29e16f/ssl/statem/statem_lib.c#L1350-L1394
>>
>>
>> > Unfortunately there are no entries in this table that map to the
>> > access_denied alert.
>>
>> Would extensions to this list be welcome?
>> Should Christian send a PR?
>
> I would be happy to review such a PR - although it would only be applied
> to master and not 3.0 or 1.1.1. Any PR could only be in the form of
> additions to the table (not modifications to existing entries), so as
> not to break existing behaviour.
By PR, do you mean Problem Report or Pull Request?
Because after reading up on it, it seems that a Pull Request would
require a CLA, and I am not willing to sign any contract under US law (I
have no idea of implications, and a lawyer to explain these is not
reasonably affordable for roughly two LOC). The things I know it for are
unreasonable laws (I suppose an Access Denied alert might be
patentable/copyrightable under US law, while it wouldn't under EU law),
ridiculously off compensations (which seems a risk to me - I do no know
if someone holds a patent/copyright on the alert from the RFC, and do
not know how to check), and violating Europeans' constitutional laws
(see the discussion around safe harbor agreements / GDPR).
Best regards,
Christian
