Re: [openssl-users] RFC5077 ticket construction help

Wed, 28 Mar 2018 10:38:33 -0700 

Ok, but I’d like to use TLS rather than Kerberos. I’m wondering if I could do 
something like this:

 
C sends a Client Hello with 0 length Session Ticket to B.
B sends back a NewSessionTicket to C in Server Hello.
C sets SSL_CTX_sess_set_new_cb(ctx, new_session_cb) and saves the session 
blob/ticket in the new_session_cb function indexed by the URL of B.
A contacts C with the URL of B
C looks up session ticket indexed by URL of B
C sends A the session ticket.
A contact B and sets the ticket using SSL_set_session_ticket_ext(ssl, ticket, 
ticket size)
 

Feasible? I’m trying something like this now but I can’t get it working. 

 

From: openssl-users <openssl-users-boun...@openssl.org> on behalf of Michael 
Sierchio <ku...@tenebras.com>
Reply-To: "openssl-users@openssl.org" <openssl-users@openssl.org>
Date: Wednesday, March 28, 2018 at 12:45 PM
To: "openssl-users@openssl.org" <openssl-users@openssl.org>
Subject: [EXTERNAL] Re: [openssl-users] RFC5077 ticket construction help

 

 

Since there exists a reference implementation, and the source code is 
available, why not start there?  The symmetric key protocol is the basis of 
Kerberos.

 

- M

 

On Wed, Mar 28, 2018 at 9:26 AM, Henderson, Karl via openssl-users 
<openssl-users@openssl.org> wrote:

Need some help with RFC5077 ticket construction. I’d like to implement a type 
of Needham-Schroeder protocol where:

 
A wants to talk to B
A and B have a relationship with C
C constructs an RFC5077 ticket and gives it to A so that A can contact B
 

Are there any good examples of how to do this?

 

The problem I think I’m having the most difficulty with is understanding what I 
need to put into the encrypted_state portion of the session ticket.

 

Thanks,

Karl

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



 

-- 

"Well," Brahma said, "even after ten thousand explanations, a fool is no wiser, 
but an intelligent person requires only two thousand five hundred." 


- The Mahābhārata

Attachment: smime.p7s
Description: S/MIME cryptographic signature

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to