Re: [openssl-dev] cert_cb and TLS tickets

2016-12-10 Thread David Benjamin via openssl-dev
(Resending from an address which is actually subscribed. Apologies if this causes anyone to receive this twice.) Here's the patch series which flipped it: https://boringssl.googlesource.com/boringssl/+/4eb95ccfd64d46fad23f36238690594d02518467

Re: [openssl-dev] cert_cb and TLS tickets

2016-12-10 Thread Fedor Indutny
Alessandro, Indeed I just checked BoringSSL's source and it calls cert_cb before resuming the session. Inviting David Benjamin into this conversation. David, Do you have any insights or motivation to share with us? The way BoringSSL handles session resumption + cert_cb is a correct one in my

Re: [openssl-dev] cert_cb and TLS tickets

2016-12-10 Thread Salz, Rich
> Thank you for feedback, though! Thanks for your expertise and continued interest in pushing OpenSSL into new(er) areas! -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] cert_cb and TLS tickets

2016-12-10 Thread Alessandro Ghedini
On Sat, Dec 10, 2016 at 11:13:48AM +0100, Fedor Indutny wrote: > This totally makes sense. Unfortunately, adding a new API method for this > means that I'll have to re-introduce ClientHello parser in bud, and make a > wider use of it in Node.js again. FWIW, BoringSSL offers an early callback that

Re: [openssl-dev] cert_cb and TLS tickets

2016-12-10 Thread Fedor Indutny
Thank you for feedback, though! On Sat, Dec 10, 2016 at 11:13 AM, Fedor Indutny wrote: > This totally makes sense. Unfortunately, adding a new API method for this > means that I'll have to re-introduce ClientHello parser in bud, and make a > wider use of it in Node.js again.

Re: [openssl-dev] cert_cb and TLS tickets

2016-12-10 Thread Fedor Indutny
This totally makes sense. Unfortunately, adding a new API method for this means that I'll have to re-introduce ClientHello parser in bud, and make a wider use of it in Node.js again. On Sat, Dec 10, 2016 at 3:07 AM, Salz, Rich wrote: > > Oh, just to restate it. I'm willing to

Re: [openssl-dev] cert_cb and TLS tickets

2016-12-09 Thread Salz, Rich
> Oh, just to restate it. I'm willing to submit the patch if we agree on what > exactly it should do. Might want to wait a bit. TLS 1.3 handshakes are a bit different. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] cert_cb and TLS tickets

2016-12-09 Thread Salz, Rich
What seems most sensible is to have a callback once the hello is parsed, allow the callback to change almost anything it wants. I would be very disappointed if we did something that was too specific to some special use cases. -- openssl-dev mailing list To unsubscribe:

Re: [openssl-dev] cert_cb and TLS tickets

2016-12-09 Thread Benjamin Kaduk
I was mostly under the impression that Matt Caswell was planning to add a generic "early callback" that gets called just after extensions are read but before they are processed, and was waiting to see what that looked like and whether the same API could be reasonably backported to 1.1.0 (not

Re: [openssl-dev] cert_cb and TLS tickets

2016-12-09 Thread Fedor Indutny
Oh, just to restate it. I'm willing to submit the patch if we agree on what exactly it should do. On Fri, Dec 9, 2016 at 11:29 PM, Fedor Indutny wrote: > Hello Benjamin, > > On Fri, Dec 9, 2016 at 11:24 PM, Benjamin Kaduk wrote: > >> On 12/09/2016 01:43

Re: [openssl-dev] cert_cb and TLS tickets

2016-12-09 Thread Fedor Indutny
Hello Benjamin, On Fri, Dec 9, 2016 at 11:24 PM, Benjamin Kaduk wrote: > On 12/09/2016 01:43 PM, Fedor Indutny wrote: > > Hello, > > During development of one feature for my TLS proxy bud, I have discovered > that the cert_cb is invoked only for newly generated

Re: [openssl-dev] cert_cb and TLS tickets

2016-12-09 Thread Benjamin Kaduk
On 12/09/2016 01:43 PM, Fedor Indutny wrote: > Hello, > > During development of one feature for my TLS proxy bud, I have > discovered that the cert_cb is invoked only for newly generated > tickets/sessions. The reasoning behind this is clear, but I believe > that it is most likely needs a

Re: [openssl-dev] cert_cb and TLS tickets

2016-12-09 Thread Fedor Indutny
On Fri, Dec 9, 2016 at 11:13 PM, Viktor Dukhovni wrote: > On Fri, Dec 09, 2016 at 09:47:19PM +0100, Fedor Indutny wrote: > > > > The callback is *correctly* only called when choosing the server > > > certificate. In *that* case, it is always called. When sessions >

Re: [openssl-dev] cert_cb and TLS tickets

2016-12-09 Thread Viktor Dukhovni
On Fri, Dec 09, 2016 at 09:47:19PM +0100, Fedor Indutny wrote: > > The callback is *correctly* only called when choosing the server > > certificate. In *that* case, it is always called. When sessions > > are resumed, there is no certificate to present, so no callback is > > made. > > That's

Re: [openssl-dev] cert_cb and TLS tickets

2016-12-09 Thread Fedor Indutny
Hello Viktor! Replying inline. On Fri, Dec 9, 2016 at 9:28 PM, Viktor Dukhovni wrote: > On Fri, Dec 09, 2016 at 08:43:01PM +0100, Fedor Indutny wrote: > > > During development of one feature for my TLS proxy bud, I have discovered > > that the cert_cb is invoked

Re: [openssl-dev] cert_cb and TLS tickets

2016-12-09 Thread Viktor Dukhovni
On Fri, Dec 09, 2016 at 08:43:01PM +0100, Fedor Indutny wrote: > During development of one feature for my TLS proxy bud, I have discovered > that the cert_cb is invoked only for newly generated tickets/sessions. The > reasoning behind this is clear, but I believe that it is most likely needs > a