Re: [PATCH 0/2] ssl chain fetcher

[William Lallemand]

On Wed, Aug 05, 2020 at 03:07:19PM +0200, William Dauchy wrote:
> On Wed, Aug 5, 2020 at 2:41 PM William Lallemand  
> wrote:
> > I don't know if this is possible to fix it, but I think must of the SSL 
> > fetches have
> > the problem.
> 
> ok makes sense in that case. So for now I assume there is no easy way
> to get the information from a resumed session, right?
> 

As far as I know it's not in memory anymore once it's resumed.

-- 
William Lallemand

Re: [PATCH 0/2] ssl chain fetcher

[William Dauchy]

Hello William,

Thanks for your quick answer.

On Wed, Aug 5, 2020 at 2:41 PM William Lallemand  wrote:
> I don't know if this is possible to fix it, but I think must of the SSL 
> fetches have
> the problem.

ok makes sense in that case. So for now I assume there is no easy way
to get the information from a resumed session, right?

> Your patches look good, my only concern is the alloc_trash_chunk()
> return value which is not tested, otherwise I'm okay to merge them!

fixed in v2.

-- 
William

Re: [PATCH 0/2] ssl chain fetcher

[William Lallemand]

On Wed, Aug 05, 2020 at 11:42:15AM +0200, William Dauchy wrote:
> Hi,
> 
> Here is a patch to add a new fetcher for cert chain.
> It follows discussion after thread
> https://www.mail-archive.com/haproxy@formilux.org/msg35607.html
> 
> It currently does not support session reuse, but I was looking for
> inputs about it, whether I could make use of `reused_sess` objects in
> haproxy, and in which way. Indeed, as pointed by Emeric in
> https://www.mail-archive.com/haproxy@formilux.org/msg37380.html
> `SSL_get_peer_cert_chain` returns NULL in case of resumed session.
> 

I don't know if this is possible to fix it, but I think must of the SSL fetches 
have
the problem.

Your patches look good, my only concern is the alloc_trash_chunk()
return value which is not tested, otherwise I'm okay to merge them!

> + smp_trash = get_trash_chunk();
> + tmp_trash = alloc_trash_chunk();
> + for (i = 0; i < num_certs; i++) {
> + crt = sk_X509_value(certs, i);
> + if (ssl_sock_crt2der(crt, tmp_trash) <= 0)
> + goto out;
> + chunk_cat(smp_trash, tmp_trash);
> + }


-- 
William Lallemand

[PATCH 0/2] ssl chain fetcher

[William Dauchy]

Hi,

Here is a patch to add a new fetcher for cert chain.
It follows discussion after thread
https://www.mail-archive.com/haproxy@formilux.org/msg35607.html

It currently does not support session reuse, but I was looking for
inputs about it, whether I could make use of `reused_sess` objects in
haproxy, and in which way. Indeed, as pointed by Emeric in
https://www.mail-archive.com/haproxy@formilux.org/msg37380.html
`SSL_get_peer_cert_chain` returns NULL in case of resumed session.

Thanks,

William Dauchy (2):
  CLEANUP: ssl: ssl_sock_crt2der semicolon and spaces
  MINOR: ssl: add ssl_c_chain_der fetch method

 doc/configuration.txt|   7 ++
 reg-tests/ssl/client1.pem| 106 +++
 reg-tests/ssl/ssl_client_samples.vtc |   2 +
 src/ssl_sample.c |  61 +++
 src/ssl_utils.c  |   6 +-
 5 files changed, 179 insertions(+), 3 deletions(-)

-- 
2.27.0