SNI callback

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

SNI callback

Jeremy Harris
OpenSSL 1.1.1 FIPS  11 Sep 2018
RHEL 8.0 beta

Using SSL_CTX_set_tlsext_servername_callback()
when the called routine returns SSL_TLSEXT_ERR_NOACK
I was expecting the handshake to fail.  It carries
on; am I doing something wrong?
--
Thanks,
  Jeremy
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: SNI callback

OpenSSL - User mailing list
On Wed, Nov 28, 2018 at 08:48:10PM +0000, Jeremy Harris wrote:
> OpenSSL 1.1.1 FIPS  11 Sep 2018
> RHEL 8.0 beta
>
> Using SSL_CTX_set_tlsext_servername_callback()
> when the called routine returns SSL_TLSEXT_ERR_NOACK
> I was expecting the handshake to fail.  It carries
> on; am I doing something wrong?

NOACK is basically "pretend that there wasn't a callback here";
you should probably use SSL_TLSEXT_ERR_ALERT_FATAL to abort the
connection if you want the handshake to fail.

-Ben
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: SNI callback

Jeremy Harris
On 28/11/2018 21:03, Benjamin Kaduk via openssl-users wrote:

> On Wed, Nov 28, 2018 at 08:48:10PM +0000, Jeremy Harris wrote:
>> OpenSSL 1.1.1 FIPS  11 Sep 2018
>> RHEL 8.0 beta
>>
>> Using SSL_CTX_set_tlsext_servername_callback()
>> when the called routine returns SSL_TLSEXT_ERR_NOACK
>> I was expecting the handshake to fail.  It carries
>> on; am I doing something wrong?
>
> NOACK is basically "pretend that there wasn't a callback here";
> you should probably use SSL_TLSEXT_ERR_ALERT_FATAL to abort the
> connection if you want the handshake to fail.

Gotcha.
- Thanks

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: SNI callback

Viktor Dukhovni
In reply to this post by Jeremy Harris
> On Nov 28, 2018, at 3:48 PM, Jeremy Harris <[hidden email]> wrote:
>
> Using SSL_CTX_set_tlsext_servername_callback()
> when the called routine returns SSL_TLSEXT_ERR_NOACK
> I was expecting the handshake to fail.  It carries
> on; am I doing something wrong?

For an SMTP server, SNI values that don't match are not unexpected,
given that e.g. with DANE the DANE-aware clients will send the TLSA
base domain, while non-DANE clients will send the original MX hostname,
which may be different.

So while it is interesting to test failing on SNI mismatch, please DO NOT
fail handshakes on SNI mismatch in SMTP.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users