Re: OpenSSL and per-context option problem

2018-09-17 Thread Thierry Fournier 

—
Thierry Fournier
Web Performance & Security Expert
m: +33 6 68 69 21 85  | e: thierry.fourn...@ozon.io
w: http://www.ozon.io/| b: http://blog.ozon.io/

> On 17 Sep 2018, at 12:45, Emmanuel Hocdet  wrote:
> 
> 
> Hi Thierry,
> 
>> Le 15 sept. 2018 à 18:06, Thierry Fournier > > a écrit :
>> 
>> Hi,
>> 
>> I tried to use per-context options, in order to enable HTTP2 for a short
>> list of SNI. I just add lines like this:
>> 
>>   /certif1.pem [alpn h2,http/1.1] my-h2-host.com 
>>   /certif2.pem my-other-host.com 
>> 
>> This configuration works fine on debian 8 with OpenSSL 1.0.2g, and doesn’t
>> work on Ubuntu 16.04 with OpenSSL 1.0.2l.
>> 
>> I compile the OpenSSL debian package 1.0.2g on Ubuntu, and the feature is
>> enabled.
>> 
>> My conclusion, is that some version of OpenSSL doesn’t support all 
>> per-context
>> options. 
>> 
>> Do you have an opinion ?
>> 
> 
> Are you sure it's not the opposite: doesn't work with 1.0.2g?
> 
> "Major changes between OpenSSL 1.0.2g and OpenSSL 1.0.2h [3 May 2016]
> 
> Modify behavior of ALPN to invoke callback after SNI/servername callback, 
> such that updates to the SSL_CTX affect ALPN. »
> 
Sorry, I mix versions. The following is the reality:

OpenSSL 1.0.2l  25 May 2017 => works
OpenSSL 1.0.2g  1 Mar 2016  => doesn’t work.

The change explain the observed behavior !

br,
Thierry

Re: OpenSSL and per-context option problem

2018-09-17 Thread Emmanuel Hocdet 

Hi Thierry,

> Le 15 sept. 2018 à 18:06, Thierry Fournier  a écrit 
> :
> 
> Hi,
> 
> I tried to use per-context options, in order to enable HTTP2 for a short
> list of SNI. I just add lines like this:
> 
>   /certif1.pem [alpn h2,http/1.1] my-h2-host.com
>   /certif2.pem my-other-host.com
> 
> This configuration works fine on debian 8 with OpenSSL 1.0.2g, and doesn’t
> work on Ubuntu 16.04 with OpenSSL 1.0.2l.
> 
> I compile the OpenSSL debian package 1.0.2g on Ubuntu, and the feature is
> enabled.
> 
> My conclusion, is that some version of OpenSSL doesn’t support all per-context
> options. 
> 
> Do you have an opinion ?
> 

Are you sure it's not the opposite: doesn't work with 1.0.2g?

"Major changes between OpenSSL 1.0.2g and OpenSSL 1.0.2h [3 May 2016]

Modify behavior of ALPN to invoke callback after SNI/servername callback, such 
that updates to the SSL_CTX affect ALPN. »

++
Manu

OpenSSL and per-context option problem

2018-09-15 Thread Thierry Fournier 
Hi,

I tried to use per-context options, in order to enable HTTP2 for a short
list of SNI. I just add lines like this:

   /certif1.pem [alpn h2,http/1.1] my-h2-host.com
   /certif2.pem my-other-host.com

This configuration works fine on debian 8 with OpenSSL 1.0.2g, and doesn’t
work on Ubuntu 16.04 with OpenSSL 1.0.2l.

I compile the OpenSSL debian package 1.0.2g on Ubuntu, and the feature is
enabled.

My conclusion, is that some version of OpenSSL doesn’t support all per-context
options. 

Do you have an opinion ?

If my conclusion was right, maybe a warning during the SSL configuration
parser execution would be a good idea ?

BR,
Thierry