对客户端证书URL的OpenSSL支持
问题描述:
我试图确定OpenSSL库是否支持Client Certificate URLs from RFC 4366。我在OpenSSL文档中找不到任何信息。对客户端证书URL的OpenSSL支持
在文件tls.h我可以看到以下定义:
/* ExtensionType values from RFC3546/RFC4366/RFC6066 */
# define TLSEXT_TYPE_server_name 0
# define TLSEXT_TYPE_max_fragment_length 1
# define TLSEXT_TYPE_client_certificate_url 2
# define TLSEXT_TYPE_trusted_ca_keys 3
# define TLSEXT_TYPE_truncated_hmac 4
# define TLSEXT_TYPE_status_request 5
也有使用客户端扩展的方法:
int SSL_CTX_add_client_custom_ext(SSL_CTX *ctx, unsigned int ext_type,
custom_ext_add_cb add_cb,
custom_ext_free_cb free_cb,
void *add_arg,
custom_ext_parse_cb parse_cb,
void *parse_arg);
我看了在OpenSSL的来源和TLSEXT_TYPE_client_certificate_url是仅用于s_cb.c作为回调支持:
void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type,
unsigned char *data, int len,
void *arg)
{
BIO *bio = arg;
char *extname;
switch(type)
{
case TLSEXT_TYPE_server_name:
extname = "server name";
break;
case TLSEXT_TYPE_client_certificate_url:
extname = "client certificate URL";
break;
(...)
default:
extname = "unknown";
break;
}
BIO_printf(bio, "TLS %s extension \"%s\" (id=%d), len=%d\n",
client_server ? "server": "client",
extname, type, len);
BIO_dump(bio, (char *)data, len);
(void)BIO_flush(bio);
}
当我搜索TLSEXT_TYPE_server_name我可以看到有该标志 实例的文件t1_lib.c
unsigned char ssl_add_serverhello_tlsext(SSL s, unsigned char *buf,
unsigned char *limit)
{
int extdatalen = 0;
unsigned char *orig = buf;
unsigned char *ret = buf;
# ifndef OPENSSL_NO_NEXTPROTONEG
int next_proto_neg_seen;
# endif
/*
* don't add extensions for SSLv3, unless doing secure renegotiation
*/
if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
return orig;
ret += 2;
if (ret >= limit)
return NULL; /this really never occurs, but .../
if (!s->hit && s->servername_done == 1
&& s->session->tlsext_hostname != NULL) {
if ((long)(limit - ret - 4) < 0)
return NULL;
s2n(TLSEXT_TYPE_server_name, ret);
s2n(0, ret);
到如此地步,TLSEXT_TYPE_server_name扩展支持的使用它给我带来,但有大约TLSEXT_TYPE_client_certificate_url没有明确的信息。
答
不,这个扩展在任何OpenSSL版本中都不被支持。