From: ori@eigenstate.org
To: 9front@9front.org
Subject: Re: [9front] [PATCH] libsec: add minimal support for the tls renegotiation extension
Date: Wed, 18 Jan 2023 23:48:19 -0500 [thread overview]
Message-ID: <C88AFCF6653A5D06E1BF2CC935CC5A86@eigenstate.org> (raw)
In-Reply-To: <CB2C19E96BE83E931CBD2B9A5377DC3A@eigenstate.org>
Quoth ori@eigenstate.org:
> Quoth Anthony Martin <ality@pbrane.org>:
> > OpenSSL 3.0 clients refuse to connect to servers that do not
> > support the renegotiation extension (RFC 5746) unless the default
> > configuration is changed to allow it. Since we do not support
> > renegotiation, we only need to make minor changes to the initial
> > handshake to comply with the specification:
> >
> > 1. For tlsClient, simply add the proper SCSV to the ClientHello
> > cipher list (cf. RFC 5746 § 3.3);
> >
> > 2. For tlsServer, respond with an empty renegotiation extension
> > in the ServerHello if we received either the SCSV or an empty
> > renegotiation extension in the ClientHello.
> >
> > Since we close the hand file and never open it after the initial
> > handshake, we can rely on tls(3) to send the "no renegotiation"
> > alerts if subsequent handshake records are received.
> >
>
> I'll have to find time to go over the changes this weekend in more
> details, and actually read the RFC -- but from a quick read, it
> looks like the 'ext' that you allocate in tlsServerExtensions gets leaked.
>
wait, never mind, it looks like msgClear handles that.
next prev parent reply other threads:[~2023-01-19 4:49 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-10 2:24 Anthony Martin
2023-01-18 15:07 ` [9front] " Anthony Martin
2023-01-19 4:30 ` [9front] " ori
2023-01-19 4:48 ` ori [this message]
2022-11-10 2:24 ` Anthony Martin
2023-01-28 21:20 ` ori
2023-01-28 21:59 ` cinap_lenrek
2023-01-19 9:50 ` Anthony Martin
2023-01-20 12:12 ` hiro
2023-01-20 21:05 ` Anthony Martin
2023-01-20 22:33 ` hiro
2023-01-21 3:48 ` Anthony Martin
2023-01-21 12:54 ` hiro
2023-01-21 17:29 ` Steve Simon
2023-01-22 16:00 ` hiro
2023-01-22 7:55 ` Anthony Martin
2023-01-22 16:10 ` hiro
2023-01-23 11:18 ` Anthony Martin
2023-01-23 13:16 ` hiro
2023-01-23 14:24 ` Ori Bernstein
2023-01-23 14:29 ` Ori Bernstein
2023-01-24 0:14 ` hiro
2023-01-24 0:16 ` hiro
2023-01-25 16:19 ` kemal
2023-01-25 16:39 ` hiro
2023-01-25 17:07 ` kemal
2023-01-25 17:18 ` hiro
2023-01-25 17:30 ` kemal
2023-01-25 17:36 ` kemal
2023-01-26 20:54 ` hiro
2023-01-26 21:52 ` Frank D. Engel, Jr.
2023-01-27 6:11 ` kemal
2023-01-27 10:55 ` hiro
2023-01-27 17:38 ` kemal
2023-01-23 16:23 ` hiro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=C88AFCF6653A5D06E1BF2CC935CC5A86@eigenstate.org \
--to=ori@eigenstate.org \
--cc=9front@9front.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).