Hi Steve,
That is exactly what I needed. I've just tried it out with
OpenSSL-1.0.2-beta1 and it works perfectly.
Do you have any ETA on when the 1.0.2 will be released?
Thank you!
On Wed, Jun 4, 2014 at 4:29 PM, Dr. Stephen Henson
wrote:
> On Wed, Jun 04, 2014, DEXTER wrote:
>
> > > Well, th
On Wed, Jun 4, 2014 at 4:49 PM, Viktor Dukhovni
wrote:
>
> Sounds like the requested feature is already implemented. That's some
> fast work. :-)
>
>
Indeed, it is some fast work. That's all that about the "itching" feature,
low priority, and many years...
> --
> Viktor.
> _
It supports both, yet lots of complicated work to create a full event system.
Well, okay :)
As opposed to have the SNI callback block on a mutex while some other thread
wakes up and does whatever work is needed.
/r$
--
Principal Security Engineer
Akamai Technologies, Cambridge, MA
I
On Wed, Jun 04, 2014 at 04:29:19PM +0200, Dr. Stephen Henson wrote:
> In the server case the callback is called when the server certificate is
> required. It has a feature where the callback can return -1 and this then sets
> a special state SSL_ERROR_WANT_X509_LOOKUP and you can retry in the same
On Wed, Jun 04, 2014, DEXTER wrote:
> > Well, that's not how it works. Normally when OpenSSL returns with
> >> something like WANT_READ or WANT_WRITE, it is possible to later
> >> determine whether the preconditions for moving forward are satisfied.
> >>
> >> In this case you're asking OpenSSL t
On Wed, Jun 04, 2014 at 10:03:34AM -0400, Salz, Rich wrote:
> > You could try the OpenSSL RT. I would suspect that such a feature would be
> > relatively low on the priority list.
>
> Especially because OpenSSL's programming model is to use threads, not events.
It supports both, in fact given t
> You could try the OpenSSL RT. I would suspect that such a feature would be
> relatively low on the priority list.
Especially because OpenSSL's programming model is to use threads, not events.
/r$
--
Principal Security Engineer
Akamai Technologies, Cambridge, MA
IM: rs...@jabber.me;
On Wed, Jun 04, 2014 at 12:04:14PM +0200, DEXTER wrote:
> >> In this case you're asking OpenSSL to just wait for nothing in
> >> particular. That feature does not exist.
> >
> > That's the problem. I'm asking kindly the devs of openssl to make this
> > feature exist.
>
> Now that Openssl has two
> Well, that's not how it works. Normally when OpenSSL returns with
>> something like WANT_READ or WANT_WRITE, it is possible to later
>> determine whether the preconditions for moving forward are satisfied.
>>
>> In this case you're asking OpenSSL to just wait for nothing in
>> particular. That
On Tue, May 27, 2014 at 05:28:31PM +0200, DEXTER wrote:
> On Tue, May 27, 2014 at 5:09 PM, Viktor Dukhovni > wrote:
>
> > On Tue, May 27, 2014 at 04:57:39PM +0200, DEXTER wrote:
> >
> > > Not now. Right now I'm sort of hacking the connection. I mean, I store
> > > the client's data in a temp buf
On Tue, May 27, 2014 at 5:09 PM, Viktor Dukhovni wrote:
> On Tue, May 27, 2014 at 04:57:39PM +0200, DEXTER wrote:
>
> > Not now. Right now I'm sort of hacking the connection. I mean, I store
> > the client's data in a temp buffer, and when I got back to the client to
> > continue the handshake wi
On Tue, May 27, 2014 at 04:57:39PM +0200, DEXTER wrote:
> > Do you instantiate the keypair in
> > question in a new SSL_CTX that you associate with the SSL connection
> > before returning from the SNI callback?
>
> Not now. Right now I'm sort of hacking the connection. I mean, I store
> the client
On Tue, May 27, 2014 at 4:34 PM, Viktor Dukhovni wrote:
> On Tue, May 27, 2014 at 03:20:22PM +0200, DEXTER wrote:
>
> So you are writing an MiTM proxy?
Exactly.
> When you "sign" the server
> certificate, do you replace the public key with a new public key
> whose private key you know?
Yep.
On Tue, May 27, 2014 at 03:20:22PM +0200, DEXTER wrote:
> Before I know what certificate should I show to the client, I have to
> connect to the server to get the certificate from it (and then copy it,
> sign it, etc.).
So you are writing an MiTM proxy? When you "sign" the server
certificate, do
What do you mean by I have to register default certificates? There are no
default certificates.
Before I know what certificate should I show to the client, I have to
connect to the server to get the certificate from it (and then copy it,
sign it, etc.).
But before connecting to the server I need th
On Tue, May 27, 2014 at 12:03:05PM +0200, DEXTER wrote:
> That is exactly what I thought first, to control it with BIOs.
> Unfortunately even if I give openssl the exact amount of bytes (not more)
> to be able to call the SNI callback, right after I return from the
> callback, openssl's own state m
That is exactly what I thought first, to control it with BIOs.
Unfortunately even if I give openssl the exact amount of bytes (not more)
to be able to call the SNI callback, right after I return from the
callback, openssl's own state machine goes into a state where it'll
immediately say the: No sha
I would think that this could be done by handling BIO communications
yourself via memory BIOs, then sending the content of those BIOs over the
network as appropriate. But, this does appear to be something that needs
attention (given the reactive nature of SNI's specification long after the
origina
Hi!
In a proxying environment when the client connects to the proxy and it
sends the SNI, you have to suspend the handshake with the client side,
start the handshake on the serverside, get the certificate from the server,
and send that certificate back to the client.
This is only possible, if I ca
19 matches
Mail list logo
