SSL_CTX_set_tlsext_ticket_key_cb - creating a valid ctx and hmac ctx in callback.

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL_CTX_set_tlsext_ticket_key_cb - creating a valid ctx and hmac ctx in callback.

OpenSSL - User mailing list

I know there may be a million reasons people can tell me not to do this, but for some dome code, I need to have a client contact a server with an RFC5077 ticket (not one previously sent from the server) with a propriety payload in the IV. I’d like to use the key_name in the ticket to get a key. And then I’d like to use this and create a valid context and hmac so that I can have a 0-RTT startup.

 

Are there any good examples on how this might be done?

 

Note, I’m running 1.1.0 with opaqueness, so I’ll need to use CTX accessor functions.

 

Thanks,

Karl

 

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: SSL_CTX_set_tlsext_ticket_key_cb - creating a validctx and hmac ctx in callback.

Guido

Vielen Dank!!!!!!!!!!!!!!!!!!!!!!!!!!!!

 

Gesendet von Mail für Windows 10

 

Von: [hidden email]
Gesendet: Dienstag, 3. April 2018 17:02
An: [hidden email]
Betreff: [openssl-users] SSL_CTX_set_tlsext_ticket_key_cb - creating a validctx and hmac ctx in callback.

 

I know there may be a million reasons people can tell me not to do this, but for some dome code, I need to have a client contact a server with an RFC5077 ticket (not one previously sent from the server) with a propriety payload in the IV. I’d like to use the key_name in the ticket to get a key. And then I’d like to use this and create a valid context and hmac so that I can have a 0-RTT startup.

 

Are there any good examples on how this might be done?

 

Note, I’m running 1.1.0 with opaqueness, so I’ll need to use CTX accessor functions.

 

Thanks,

Karl

 

 

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL_CTX_set_tlsext_ticket_key_cb - creating a valid ctx and hmac ctx in callback.

OpenSSL - User mailing list
In reply to this post by OpenSSL - User mailing list
Thanks for the response - yes, I do understand I'm re-purposing this mechanism in a creative way. At this time, it's just for experimental purposes.

On 4/3/18, 5:34 PM, "Viktor Dukhovni" <[hidden email]> wrote:

   
   
    > On Apr 3, 2018, at 11:00 AM, Henderson, Karl via openssl-users <[hidden email]> wrote:
    >
    > I know there may be a million reasons people can tell me not to do this, but for some dome code, I need to have a client contact a server with an RFC5077 ticket (not one previously sent from the server) with a propriety payload in the IV. I’d like to use the key_name in the ticket to get a key. And then I’d like to use this and create a valid context and hmac so that I can have a 0-RTT startup.
   
    This is too sketchy to provide a meaningful response.  Session tickets are a mechanism for a server to *export* its session state to clients, allowing the server to do stateless session resumption.  They are not a mechanism for anything else, and other uses are likely to be fragile, and possibly insecure.  Too much creativity here is risky.
   
    > Are there any good examples on how this might be done?
   
    Probably not.
   
    --
    Viktor.
   
   

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users