TLS-1.3 Certificate Authorities implementation and testing

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

TLS-1.3 Certificate Authorities implementation and testing

Alexandre Schaff
Hello,
Sorry if question has already been asked, I saw https://github.com/openssl/openssl/issues/3029 .
Issue#3029 is a mixed discussion on both tls-1.2 extension "trusted CA indication" (rfc6066#section-6) and TLS-1.3 "Certificate Authorities", thus conclusion is unclear.

tests done :
openssl version used : openssl-1.1.1a
client : "openssl s_client ... -requestCAfile .." ; tls extension in client Hello is present.
serverside :  'openssl s_server' using certfile which has 2 root-CA+cert (certA and certB)  and keyfile which has both secrets.

Whatever the client sends in Certificate Authorities, s_server chooses the first leaf certificate found within certfile.

Questions : is rfc8446#section-4.2.4 is not mandatory featuyre of tls-1.3. Does openssl iimplements it fully ? If yes, how to test ?

br,
Alexandre.
Reply | Threaded
Open this post in threaded view
|

Re: TLS-1.3 Certificate Authorities implementation and testing

Viktor Dukhovni
On Mon, Sep 02, 2019 at 06:49:40PM +0200, Alexandre Schaff wrote:

> serverside :  'openssl s_server' using certfile which has 2 root-CA+cert
> (certA and certB)  and keyfile which has both secrets.

The s_server application loads just one certificate chain from its
certFile, and just one key from its keyfile.  This happens before
any interaction with the TLS client.  The test as described is not
useful to discern whether or not OpenSSL supports certificate
selection based on the client's certificate selection hints.

AFAIK, any certificate selection logic needs to go in a suitable
callback, since the SSL_CTX can only store one key per algorithm,
and so certificate selection requires callbacks to instantiate a
per-connection context (as with SNI).

So perhaps your answer is that the OpenSSL library does not presently
provide built-in facilities for client-hint-based certificate
selection, beyond what you get by negotiating a shared signature
algorithm.

--
        Viktor.