Hello Viktor, > Thanks to Todd Short, RFC7250 raw public keys should be available in > OpenSSL ~3.2. Applications that use unauthenticated opportunistic TLS,
Sounds great. Especially for IoT/constraint use-cases that's a real benefit. Just in the case, someone is interested, I asked a couple of months ago, if https://datatracker.ietf.org/doc/html/draft-ietf-tls-subcerts-10 has some considerations about certificate types without a validation date. See https://github.com/tlswg/tls-subcerts/issues/107 > The pull request <https://github.com/openssl/openssl/pull/18185> is > still a work in progress, but complete enough for application > integration testing. I will try to test next week the DTLS interoperability with Eclipse/tinydtls Eclipse/Californium best regards Achim Am 22.01.23 um 21:41 schrieb Viktor Dukhovni:
Thanks to Todd Short, RFC7250 raw public keys should be available in OpenSSL ~3.2. Applications that use unauthenticated opportunistic TLS, employ DANE or have other ways to avoid X.509 certificates and make do with raw peer public keys can avoid the overhead of receiving and processing certificate chains. The pull request <https://github.com/openssl/openssl/pull/18185> is still a work in progress, but complete enough for application integration testing. Likely too late for OpenSSL 3.1 (in beta now), but seems likely to land by 3.2. The TODO items on the OpenSSL side are at this point IMHO minor. Review eyeballs of course always appreciated. I have a Postfix branch with a reasonably complete implementation: # posttls-finger -c <domain> posttls-finger: <mxhost>[192.0.2.1]:25: raw public key fingerprint=<...> posttls-finger: <mxhost>[192.0.2.1]:25: Matched DANE raw public key: 3 1 1 <...> posttls-finger: Verified TLS connection established to <mxhost>[192.0.2.1]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 based on the the current state of the pull request.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
