Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add certificate selection callback #5430

Closed
mpg opened this issue Jan 13, 2022 · 2 comments · Fixed by #5454
Closed

Add certificate selection callback #5430

mpg opened this issue Jan 13, 2022 · 2 comments · Fixed by #5454
Labels
enhancement help-wanted This issue is not being actively worked on, but PRs welcome. size-s Estimated task size: small (~2d)

Comments

@mpg
Copy link
Contributor

mpg commented Jan 13, 2022
edited

Suggested enhancement

Add a new callback (server-side) that's called at the right time for the server to select a certificate.

Constraints:

  • must be after all ClientHello extensions have been parsed, at the server might use information from those extensions in order to select a certificate
  • must be before the ServerHello is sent, as the selection of the ciphersuite depends on the type of certificate selected.

Justification

Mbed TLS needs this because sometimes the server needs to adjust its behaviour based on multiple extensions, so per-extension callback (such as the existing SNI callback) are not enough. An example is servers who want to support the ACME "tls-alpn-01" challenge, where certificate selection needs to happen based not only on SNI but also ALPN extension, as reported in #5331.

Finally, it appears there's a similar callback in OpenSSL since 1.0.2 and people are using it.
@mpg mpg added enhancement help-wanted This issue is not being actively worked on, but PRs welcome. Product Backlog size-s Estimated task size: small (~2d) labels Jan 13, 2022
@mpg mpg added this to Incoming Items in OBSOLETE - SEE https://github.com/orgs/Mbed-TLS/projects/3 via automation Jan 13, 2022
This was referenced Jan 13, 2022
Closed
Closed
gstrauss added a commit to gstrauss/mbedtls that referenced this issue Jan 25, 2022
@gstrauss
Add server certificate selection callback
f9d9b15 
Mbed-TLS#5430

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
@gstrauss gstrauss mentioned this issue Jan 25, 2022
Merged
3 tasks
@gstrauss
Copy link
Contributor

#5454 "server certificate selection callback" submitted as a Draft for discussion.

gstrauss added a commit to gstrauss/mbedtls that referenced this issue Jan 31, 2022
@gstrauss
Add server certificate selection callback
57b8e22 
Mbed-TLS#5430

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
gstrauss added a commit to gstrauss/mbedtls that referenced this issue Feb 2, 2022
@gstrauss
Add server certificate selection callback
c294fcd 
Mbed-TLS#5430

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
@gstrauss gstrauss mentioned this issue Feb 4, 2022
Closed
@mpg mpg linked a pull request Feb 7, 2022 that will close this issue
server certificate selection callback #5454
Merged
3 tasks
gstrauss added a commit to gstrauss/mbedtls that referenced this issue Feb 7, 2022
@gstrauss
Add server certificate selection callback
ae6f01c 
Mbed-TLS#5430

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
@gstrauss gstrauss mentioned this issue Feb 11, 2022
Closed
gstrauss added a commit to gstrauss/mbedtls that referenced this issue Feb 16, 2022
@gstrauss
Add server certificate selection callback
b90f277 
Mbed-TLS#5430

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
gstrauss added a commit to gstrauss/mbedtls that referenced this issue Feb 21, 2022
@gstrauss
Add server certificate selection callback
18af14d 
Mbed-TLS#5430

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
@mpg
Copy link
Contributor Author

mpg commented Feb 22, 2022

Renaming to "add certificate selection callback" - after discussion with the team, we agreed that new callbacks should not be named after a particular point in the handshake, but after the action they're meant to allow. Handshake flows might change between versions and it's our job to shield users from those low-level details and just run the callback at the right time for the associated action.

@mpg mpg changed the title Add an unconditonnal end-of-ClientHello callback Add certificate selection callback Feb 22, 2022
gstrauss added a commit to gstrauss/mbedtls that referenced this issue Feb 25, 2022
@gstrauss
Add server certificate selection callback
2ed9527 
Mbed-TLS#5430

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
@mpg mpg closed this as completed in #5454 Mar 10, 2022
@daverodgman daverodgman added this to High priority 3.0 follow-up in EPICs for Mbed TLS Mar 30, 2022
@axos88 axos88 mentioned this issue Oct 10, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement help-wanted This issue is not being actively worked on, but PRs welcome. size-s Estimated task size: small (~2d)
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

server certificate selection callback gstrauss/mbedtls
2 participants
@mpg @gstrauss