Client CA list sending is also in TLS < 1.3 (RFC6066)

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Client CA list sending is also in TLS < 1.3 (RFC6066)

OpenSSL - User mailing list
Hi,

The ability of a TLS client to optionally send a list of trusted
CAs to the TLS server is not new in TLS 1.3.

In TLS 1.2 and older it was an extension "Trusted CA Indication" (3),
defined in RFC6066 Chapter 6.

So I would suggest that any OpenSSL API to control that feature in
TLS 1.3 also affects the matching TLS < 1.3 functionality, and is
separated from the APIs that control the TLS server sending a list
of client certificate CAs to clients.

This aspect was somehow missed in a recent discussion of this TLS 1.3
behavior (which I cannot find right now).


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Client CA list sending is also in TLS < 1.3 (RFC6066)

Viktor Dukhovni
> On Nov 26, 2018, at 11:33 AM, Jakob Bohm via openssl-users <[hidden email]> wrote:
>
> In TLS 1.2 and older it was an extension "Trusted CA Indication" (3),
> defined in RFC6066 Chapter 6.
>
> So I would suggest that any OpenSSL API to control that feature in
> TLS 1.3 also affects the matching TLS < 1.3 functionality, and is
> separated from the APIs that control the TLS server sending a list
> of client certificate CAs to clients.
>
> This aspect was somehow missed in a recent discussion of this TLS 1.3
> behavior (which I cannot find right now).

Thanks for the update.  I guess OpenSSL never implemented RFC6066.
I am not sure that support this in TLS 1.2 is worth adding, but you
have a valid of principle.  If it were added, it should use the same
API that supports the equivalent feature in TLS 1.3 in OpenSSL 1.1.1a.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Client CA list sending is also in TLS < 1.3 (RFC6066)

OpenSSL - User mailing list
On 26/11/2018 20:04, Viktor Dukhovni wrote:

>> On Nov 26, 2018, at 11:33 AM, Jakob Bohm via openssl-users <[hidden email]> wrote:
>>
>> In TLS 1.2 and older it was an extension "Trusted CA Indication" (3),
>> defined in RFC6066 Chapter 6.
>>
>> So I would suggest that any OpenSSL API to control that feature in
>> TLS 1.3 also affects the matching TLS < 1.3 functionality, and is
>> separated from the APIs that control the TLS server sending a list
>> of client certificate CAs to clients.
>>
>> This aspect was somehow missed in a recent discussion of this TLS 1.3
>> behavior (which I cannot find right now).
> Thanks for the update.  I guess OpenSSL never implemented RFC6066.
> I am not sure that support this in TLS 1.2 is worth adding, but you
> have a valid of principle.  If it were added, it should use the same
> API that supports the equivalent feature in TLS 1.3 in OpenSSL 1.1.1a.
>
Just to clarify: RFC6066 is the main RFC for basic TLS extensions,
with chapters defining such things as SNI, and OCSP stapling.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users