Hi Susan, Is it so, that TS_SSL_CERT_HOOK will (could?) be also called for server certificates inside ServerHello handler?
In this case ATS, being a SSL proxy, could provide a way to validate server certs chain and prevent a MITM attack if browser (for example) has 3rd party Root CA installed. -Lev 2015-01-27 21:58 GMT+02:00 Susan Hinrichs <shinr...@network-geographics.com>: > I've rejiggered things to be in a single callback, and I think it looks a > lot simpler for the plugin writer. As you noted multiple callbacks can be > confusing. > > I'm going to get my changes rest over night and post them tomorrow for > review. > > > > On 1/27/2015 11:04 AM, Roland Zink wrote: >> >> It is quite possible that the SNI option is used to select an appropriate >> certificate (usually web servers do this), when a plugin try to do this then >> the existence of more than one callback to do this could be confusing. SNI >> is a TLS option but there are others like ALPN so all of them could >> potential be in one callback. >> >> Regards, >> Roland >> >> -----Original Message----- >> From: Susan Hinrichs [mailto:shinr...@network-geographics.com] >> Sent: Tuesday, January 27, 2015 5:34 PM >> To: dev@trafficserver.apache.org >> Subject: Re: Certificate process in openssl 1.0.2 >> >> >> On 1/27/2015 10:30 AM, James Peach wrote: >>>> >>>> On Jan 27, 2015, at 8:18 AM, Susan Hinrichs >>>> <shinr...@network-geographics.com> wrote: >>>> >>>> Originally, I was planning on leaving in plugin support for both the SNI >>>> callback and the cert callback. But as I reflect, I question that >>>> decision. >>>> I think it adds complexity without giving more power to the plugin writer. >>>> >>>> Both callbacks take place at the same point in the handshake. From both >>>> callbacks you can set the certificate. Depending on the version and patch >>>> level, only one of the callbacks will let you pause processing. >>>> >>>> Perhaps it is better to support only point for the plugin to callback >>>> after the client hello during the handshake processing? If we did that, ATS >>>> could adapt depending on the linked version of openssl and the plugin would >>>> not change. I'd still add a TS_SSL_CERT_HOOK for clarity, but I'd make it >>>> the same value as TS_SSL_SNI_HOOK. >>> >>> Why do you need to make this change? What is the compatibility impact? >> >> Well we do need to support the certificate callbacks in openssl 1.0.2, so >> we have a means to pause handshake processing to load certificates, etc in a >> stock version of openssl. >>>> >>>> If openssl 1.0.1 is linked, it would execute the plugin's callback >>>> during the SNI callback. If openssl 1.0.2 is linked, it would execute the >>>> plugin's callback during the certificate callback. >>> >>> Did openssl 1.0.1 contain your patch? If there is no released version of >>> openssl that contains the original callback you added, what is is that we >>> need to support? >> >> My patch was not rolled into open ssl. The only reason to continue to >> support it is that we had previously supported it. If you are unable to >> move to openssl 1.0.2, then at least you can patch up openssl 1.0.1 (though >> if you can run with a patched version you can likely upgrade too). >> >> My second idea, would have the least impact upon people who have already >> invested effort in writing plugins on the SNI callback. >> >> Judging from your questions, you don't see a reason to support both a SNI >> callback and a certificate callback either. Is that right? >> >>>> What are people's thoughts? >>>> >>>> Thanks, >>>> Susan >>>> >>>> On 1/27/2015 10:08 AM, Susan Hinrichs wrote: >>>>> >>>>> Hi All, >>>>> >>>>> With 1.0.2 openssl expanded their support of the certificate callback >>>>> to handle pausing processing during the SSL handshake negotiation. This >>>>> replaces the functionality I added to the SNI callback in my patch for >>>>> openssl 1.0.1. >>>>> >>>>> With TS-3319, I'm updating the ATS callback logic to support the >>>>> certificate callback if you are compiling against openssl 1.0.2. >>>>> >>>>> There is a new hook constant, TS_SSL_CERT_HOOK. If you had a SNI >>>>> callback that was pausing the handshake to make decisions about the >>>>> certificate, you can move it from the TS_SSL_SNI_HOOK to the >>>>> TS_SSL_CERT_HOOK. >>>>> >>>>> I'm finishing tidying up TS-3319. It should be ready later today or >>>>> tomorrow. >>>>> >>>>> Susan > > -- -Lev
