Copy custom extension flags in a call to SSL_set_SSL_CTX() (1.1.0) #3426
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 tasks
richsalz
suggested changes
May 10, 2017
ssl/t1_ext.c
Outdated
| size_t i; | ||
|
|
||
| for (i = 0; i < src->meths_count; i++) { | ||
| custom_ext_method *methsrc = src->meths + i; |
There was a problem hiding this comment.
same comment; local variable that's just incremented in the for loop.
The function SSL_set_SSL_CTX() can be used to swap the SSL_CTX used for a connection as part of an SNI callback. One result of this is that the s->cert structure is replaced. However this structure contains information about any custom extensions that have been loaded. In particular flags are set indicating whether a particular extension has been received in the ClientHello. By replacing the s->cert structure we lose the custom extension flag values, and it appears as if a client has not sent those extensions. SSL_set_SSL_CTX() should copy any flags for custom extensions that appear in both the old and the new cert structure. Fixes openssl#2180
Test that custom extensions still work even after a change in SSL_CTX due to SNI. See openssl#2180.
mattcaswell
force-pushed
the
sni-cust-exts-110
branch
from
c8892ae
to
53908dc
Compare
richsalz
approved these changes
May 10, 2017
levitte
pushed a commit
that referenced
this pull request
May 10, 2017
The function SSL_set_SSL_CTX() can be used to swap the SSL_CTX used for a connection as part of an SNI callback. One result of this is that the s->cert structure is replaced. However this structure contains information about any custom extensions that have been loaded. In particular flags are set indicating whether a particular extension has been received in the ClientHello. By replacing the s->cert structure we lose the custom extension flag values, and it appears as if a client has not sent those extensions. SSL_set_SSL_CTX() should copy any flags for custom extensions that appear in both the old and the new cert structure. Fixes #2180 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3426)
pracj3am
pushed a commit
to cdn77/openssl
that referenced
this pull request
Aug 22, 2017
The function SSL_set_SSL_CTX() can be used to swap the SSL_CTX used for a connection as part of an SNI callback. One result of this is that the s->cert structure is replaced. However this structure contains information about any custom extensions that have been loaded. In particular flags are set indicating whether a particular extension has been received in the ClientHello. By replacing the s->cert structure we lose the custom extension flag values, and it appears as if a client has not sent those extensions. SSL_set_SSL_CTX() should copy any flags for custom extensions that appear in both the old and the new cert structure. Fixes openssl#2180 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from openssl#3426)
pracj3am
pushed a commit
to cdn77/openssl
that referenced
this pull request
Aug 22, 2017
Test that custom extensions still work even after a change in SSL_CTX due to SNI. See openssl#2180. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from openssl#3426)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The function SSL_set_SSL_CTX() can be used to swap the SSL_CTX used for
a connection as part of an SNI callback. One result of this is that the
s->cert structure is replaced. However this structure contains information
about any custom extensions that have been loaded. In particular flags are
set indicating whether a particular extension has been received in the
ClientHello. By replacing the s->cert structure we lose the custom
extension flag values, and it appears as if a client has not sent those
extensions.
SSL_set_SSL_CTX() should copy any flags for custom extensions that appear
in both the old and the new cert structure.
Fixes #2180
This is the 1.1.0 version of #3425
Checklist