Early data based on SNI with OpenSSL 1.1.1

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Early data based on SNI with OpenSSL 1.1.1

Olivier Houchard
Hi,

I'm trying to use OpenSSL 1.1.1 to accept or reject early data based on
the SNI, and I'm a bit confused on how to do so.
The problem I have is, I don't know the SNI before the client hello
callback is called, and at that time it seems to be too late to make a
decision for early data. Either the callback is called from
SSL_do_handshake(), and then any call to SSL_read_early_data() will fail
with SSL_ERROR_SSL, and early data will be rejected, or it is called if
I call SSL_read_early_data() first, but then early data will be
considered accepted no matter what.

I tried returning -1 from the client hello callback, but if called from
SSL_do_handshake to indicate early data are to be read, it seems to be too
late to call SSL_read_early_data() anyway, and if called from
SSL_read_early_data() to indicate we should stop reading early data, it
mostly works, except as s->early_data_state will be
SSL_EARLY_DATA_ACCEPT_RETRY, and so any call to SSL_Read() will fail
because of that test in ssl_read_internal() :
    if (s->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY
               || s->early_data_state == SSL_EARLY_DATA_ACCEPT_RETRY) {
                            SSLerr(SSL_F_SSL_READ_INTERNAL,
                            ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
                                    return 0;
    }

Am I missing something obvious ? Is there any way I can accept or reject
early data based on the SNI ?

Thanks !

Olivier
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Early data based on SNI with OpenSSL 1.1.1

Matt Caswell-2


On 23/10/17 16:16, Olivier Houchard wrote:

> Hi,
>
> I'm trying to use OpenSSL 1.1.1 to accept or reject early data based on
> the SNI, and I'm a bit confused on how to do so.
> The problem I have is, I don't know the SNI before the client hello
> callback is called, and at that time it seems to be too late to make a
> decision for early data. Either the callback is called from
> SSL_do_handshake(), and then any call to SSL_read_early_data() will fail
> with SSL_ERROR_SSL, and early data will be rejected, or it is called if
> I call SSL_read_early_data() first, but then early data will be
> considered accepted no matter what.
>
> I tried returning -1 from the client hello callback, but if called from
> SSL_do_handshake to indicate early data are to be read, it seems to be too
> late to call SSL_read_early_data() anyway, and if called from
> SSL_read_early_data() to indicate we should stop reading early data, it
> mostly works, except as s->early_data_state will be
> SSL_EARLY_DATA_ACCEPT_RETRY, and so any call to SSL_Read() will fail
> because of that test in ssl_read_internal() :
>     if (s->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY
>                || s->early_data_state == SSL_EARLY_DATA_ACCEPT_RETRY) {
>            SSLerr(SSL_F_SSL_READ_INTERNAL,
>    ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
>            return 0;
>     }
>
> Am I missing something obvious ? Is there any way I can accept or reject
> early data based on the SNI ?

From the docs:

https://www.openssl.org/docs/manmaster/man3/SSL_set_max_early_data.html

"When a session is created between a server and a client the server will
specify the maximum amount of any early data that it will accept on any
future connection attempt. By default this is approximately 16k. A
server may override this default value by calling
SSL_CTX_set_max_early_data() or SSL_set_max_early_data() to set it for
the whole SSL_CTX or an individual SSL object respectively. Similarly
the SSL_CTX_get_max_early_data() and SSL_get_max_early_data() functions
can be used to obtain the current maximum early data settings for the
SSL_CTX and SSL objects respectively."

So, probably the best way to do this is to set the max early data for
the server CTXs that you don't want to accept early_data to 0. Then any
sessions they issue will not allow early_data to be used. If a client
does attempt to use that session to send early data then it then it will
be automatically rejected.

If that doesn't work for you another way (I think?) to do this would be
to set the max early data for that SSL object (using
SSL_set_max_early_data()) to 0 during the callback.

Matt
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Early data based on SNI with OpenSSL 1.1.1

Olivier Houchard
Hi Matt,

Sorry for the late answer.

On Mon, Oct 23, 2017 at 04:31:02PM +0100, Matt Caswell wrote:

>
>
> On 23/10/17 16:16, Olivier Houchard wrote:
> > Hi,
> >
> > I'm trying to use OpenSSL 1.1.1 to accept or reject early data based on
> > the SNI, and I'm a bit confused on how to do so.
> > The problem I have is, I don't know the SNI before the client hello
> > callback is called, and at that time it seems to be too late to make a
> > decision for early data. Either the callback is called from
> > SSL_do_handshake(), and then any call to SSL_read_early_data() will fail
> > with SSL_ERROR_SSL, and early data will be rejected, or it is called if
> > I call SSL_read_early_data() first, but then early data will be
> > considered accepted no matter what.
> >
> > I tried returning -1 from the client hello callback, but if called from
> > SSL_do_handshake to indicate early data are to be read, it seems to be too
> > late to call SSL_read_early_data() anyway, and if called from
> > SSL_read_early_data() to indicate we should stop reading early data, it
> > mostly works, except as s->early_data_state will be
> > SSL_EARLY_DATA_ACCEPT_RETRY, and so any call to SSL_Read() will fail
> > because of that test in ssl_read_internal() :
> >     if (s->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY
> >                || s->early_data_state == SSL_EARLY_DATA_ACCEPT_RETRY) {
> >            SSLerr(SSL_F_SSL_READ_INTERNAL,
> >    ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
> >            return 0;
> >     }
> >
> > Am I missing something obvious ? Is there any way I can accept or reject
> > early data based on the SNI ?
>
> >From the docs:
>
> https://www.openssl.org/docs/manmaster/man3/SSL_set_max_early_data.html
>
> "When a session is created between a server and a client the server will
> specify the maximum amount of any early data that it will accept on any
> future connection attempt. By default this is approximately 16k. A
> server may override this default value by calling
> SSL_CTX_set_max_early_data() or SSL_set_max_early_data() to set it for
> the whole SSL_CTX or an individual SSL object respectively. Similarly
> the SSL_CTX_get_max_early_data() and SSL_get_max_early_data() functions
> can be used to obtain the current maximum early data settings for the
> SSL_CTX and SSL objects respectively."
>
> So, probably the best way to do this is to set the max early data for
> the server CTXs that you don't want to accept early_data to 0. Then any
> sessions they issue will not allow early_data to be used. If a client
> does attempt to use that session to send early data then it then it will
> be automatically rejected.
>

This didn't seem to do the trick, however,

> If that doesn't work for you another way (I think?) to do this would be
> to set the max early data for that SSL object (using
> SSL_set_max_early_data()) to 0 during the callback.
>

This definitively did ! Thanks a lot !

Regards,

Olivier
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users