Support "SSL_CTX_add_server_custom_ext"

[fancycode]

It would be nice if LibreSSL could support SSL_CTX_add_server_custom_ext which is required for example in the nginx-ct module to enable certificate transparency.

I know that LibreSSL was forked from OpenSSL 1.0.1 and the feature was added in 1.0.2 - are there any plans to backport this?

[4a6f656c]

Not immediately - there is a fair amount of work required to support this. Additionally, adding the ability to inject and handle custom TLS extensions raises some concerns regarding attack surface. That said, since you've pointed out an actual use case take a closer look and see if there is a middle ground.

[gbilic]

BoringSSL introduced SSL_CTX_set_signed_cert_timestamp_list function to specifically handle signed certificate timestamps, my fork of nginx-ct makes use of it.

[fancycode]

@gbilic thanks, unfortunately LibreSSL also doesn't support SSL_CTX_set_signed_cert_timestamp_list

[thefangbear]

I would also like Libressl to add this function.

[technion]

Just to update with a specific use case, see build notes here:

https://github.com/grahamedgecombe/nginx-ct

[4a6f656c]

While we're now in a position where we could consider adding this, it would require a reasonable amount of additional code and complexity to support.

Is anyone aware of any valid use case for SSL_CTX_add_{,client,server}_custom_ext() outside of nginx-ct? If not, providing SSL_CTX_set_signed_cert_timestamp_list() is likely
far preferable...