Joe Urciuoli via RT
2014-10-04 05:41:54 UTC
Like most options, it is beneficial to have the SSL object inherit the Certificate Status Request extension from the SSL_CTX. We have found this is particularly useful when using libraries that only allow you to supply your own context (libcurl for example). I have pasted a diff below that allows the SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE to be inherited by the SSL object.
Thanks,
Joe
--- ./include/openssl/ssl.h 2013-03-22 09:39:35.000000000 -0400
+++ /ws/jurciuol-rtp/cyclonebranch/oneC/third_party/ciscossl-1.0.1e.4.0/./include/openssl/ssl.h 2014-08-21 13:43:32.698820000 -0400
@@ -932,6 +932,7 @@
/* Callback for status request */
int (*tlsext_status_cb)(SSL *ssl, void *arg);
void *tlsext_status_arg;
+ int tlsext_status_type; //used for Certificate Status Request extension (OCSP Stapling)
/* draft-rescorla-tls-opaque-prf-input-00.txt information */
int (*tlsext_opaque_prf_input_callback)(SSL *, void *peerinput, size_t len, void *arg);
--- ./ssl/ssl_lib.c 2013-03-22 09:39:34.000000000 -0400
+++ /ws/jurciuol-rtp/cyclonebranch/oneC/third_party/ciscossl-1.0.1e.4.0/./ssl/ssl_lib.c 2014-08-21 13:49:22.436487000 -0400
@@ -353,7 +353,7 @@
s->tlsext_debug_cb = 0;
s->tlsext_debug_arg = NULL;
s->tlsext_ticket_expected = 0;
- s->tlsext_status_type = -1;
+ s->tlsext_status_type = ctx->tlsext_status_type;
s->tlsext_status_expected = 0;
s->tlsext_ocsp_ids = NULL;
s->tlsext_ocsp_exts = NULL;
@@ -1843,6 +1843,7 @@
ret->tlsext_status_cb = 0;
ret->tlsext_status_arg = NULL;
+ ret->tlsext_status_type = -1;
# ifndef OPENSSL_NO_NEXTPROTONEG
ret->next_protos_advertised_cb = 0;
--- ./ssl/s3_lib.c 2013-03-22 09:39:34.000000000 -0400
+++ /ws/jurciuol-rtp/cyclonebranch/oneC/third_party/ciscossl-1.0.1e.4.0/./ssl/s3_lib.c 2014-08-21 13:51:29.832288000 -0400
@@ -3591,6 +3591,9 @@
}
return 1;
}
+ case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE:
+ ctx->tlsext_status_type=larg;
+ break;
#ifdef TLSEXT_TYPE_opaque_prf_input
case SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB_ARG:
--- ./ssl/tls1.h 2013-03-22 09:39:35.000000000 -0400
+++ /ws/jurciuol-rtp/cyclonebranch/oneC/third_party/ciscossl-1.0.1e.4.0/./ssl/tls1.h 2014-08-21 13:54:43.617636000 -0400
@@ -368,6 +368,9 @@
#define SSL_CTX_set_tlsext_status_arg(ssl, arg) \
SSL_CTX_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG,0, (void *)arg)
+#define SSL_CTX_set_tlsext_status_type(ssl, type) \
+SSL_CTX_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE,type, NULL)
+
#define SSL_set_tlsext_opaque_prf_input(s, src, len) \
SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT, len, src)
#define SSL_CTX_set_tlsext_opaque_prf_input_callback(ctx, cb) \
--- ./ssl/ssl.h 2013-03-22 09:39:35.000000000 -0400
+++ /ws/jurciuol-rtp/cyclonebranch/oneC/third_party/ciscossl-1.0.1e.4.0/./ssl/ssl.h 2014-08-21 13:43:32.698820000 -0400
@@ -932,6 +932,7 @@
/* Callback for status request */
int (*tlsext_status_cb)(SSL *ssl, void *arg);
void *tlsext_status_arg;
+ int tlsext_status_type; //used for Certificate Status Request extension (OCSP Stapling)
/* draft-rescorla-tls-opaque-prf-input-00.txt information */
int (*tlsext_opaque_prf_input_callback)(SSL *, void *peerinput, size_t len, void *arg);
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org
Thanks,
Joe
--- ./include/openssl/ssl.h 2013-03-22 09:39:35.000000000 -0400
+++ /ws/jurciuol-rtp/cyclonebranch/oneC/third_party/ciscossl-1.0.1e.4.0/./include/openssl/ssl.h 2014-08-21 13:43:32.698820000 -0400
@@ -932,6 +932,7 @@
/* Callback for status request */
int (*tlsext_status_cb)(SSL *ssl, void *arg);
void *tlsext_status_arg;
+ int tlsext_status_type; //used for Certificate Status Request extension (OCSP Stapling)
/* draft-rescorla-tls-opaque-prf-input-00.txt information */
int (*tlsext_opaque_prf_input_callback)(SSL *, void *peerinput, size_t len, void *arg);
--- ./ssl/ssl_lib.c 2013-03-22 09:39:34.000000000 -0400
+++ /ws/jurciuol-rtp/cyclonebranch/oneC/third_party/ciscossl-1.0.1e.4.0/./ssl/ssl_lib.c 2014-08-21 13:49:22.436487000 -0400
@@ -353,7 +353,7 @@
s->tlsext_debug_cb = 0;
s->tlsext_debug_arg = NULL;
s->tlsext_ticket_expected = 0;
- s->tlsext_status_type = -1;
+ s->tlsext_status_type = ctx->tlsext_status_type;
s->tlsext_status_expected = 0;
s->tlsext_ocsp_ids = NULL;
s->tlsext_ocsp_exts = NULL;
@@ -1843,6 +1843,7 @@
ret->tlsext_status_cb = 0;
ret->tlsext_status_arg = NULL;
+ ret->tlsext_status_type = -1;
# ifndef OPENSSL_NO_NEXTPROTONEG
ret->next_protos_advertised_cb = 0;
--- ./ssl/s3_lib.c 2013-03-22 09:39:34.000000000 -0400
+++ /ws/jurciuol-rtp/cyclonebranch/oneC/third_party/ciscossl-1.0.1e.4.0/./ssl/s3_lib.c 2014-08-21 13:51:29.832288000 -0400
@@ -3591,6 +3591,9 @@
}
return 1;
}
+ case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE:
+ ctx->tlsext_status_type=larg;
+ break;
#ifdef TLSEXT_TYPE_opaque_prf_input
case SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB_ARG:
--- ./ssl/tls1.h 2013-03-22 09:39:35.000000000 -0400
+++ /ws/jurciuol-rtp/cyclonebranch/oneC/third_party/ciscossl-1.0.1e.4.0/./ssl/tls1.h 2014-08-21 13:54:43.617636000 -0400
@@ -368,6 +368,9 @@
#define SSL_CTX_set_tlsext_status_arg(ssl, arg) \
SSL_CTX_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG,0, (void *)arg)
+#define SSL_CTX_set_tlsext_status_type(ssl, type) \
+SSL_CTX_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE,type, NULL)
+
#define SSL_set_tlsext_opaque_prf_input(s, src, len) \
SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT, len, src)
#define SSL_CTX_set_tlsext_opaque_prf_input_callback(ctx, cb) \
--- ./ssl/ssl.h 2013-03-22 09:39:35.000000000 -0400
+++ /ws/jurciuol-rtp/cyclonebranch/oneC/third_party/ciscossl-1.0.1e.4.0/./ssl/ssl.h 2014-08-21 13:43:32.698820000 -0400
@@ -932,6 +932,7 @@
/* Callback for status request */
int (*tlsext_status_cb)(SSL *ssl, void *arg);
void *tlsext_status_arg;
+ int tlsext_status_type; //used for Certificate Status Request extension (OCSP Stapling)
/* draft-rescorla-tls-opaque-prf-input-00.txt information */
int (*tlsext_opaque_prf_input_callback)(SSL *, void *peerinput, size_t len, void *arg);
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org