对客户端证书URL的OpenSSL支持
我正在尝试确定OpenSSL库是否支持。我在OpenSSL文档中找不到任何信息 在文件对客户端证书URL的OpenSSL支持,ssl,openssl,x509,rfc,pkix,Ssl,Openssl,X509,Rfc,Pkix,我正在尝试确定OpenSSL库是否支持。我在OpenSSL文档中找不到任何信息 在文件tls.h中,我可以看到以下定义: /* ExtensionType values from RFC3546 / RFC4366 / RFC6066 */ # define TLSEXT_TYPE_server_name 0 # define TLSEXT_TYPE_max_fragment_length 1 # define TLSEXT_TYPE_client
tls.h
中,我可以看到以下定义:
/* ExtensionType values from RFC3546 / RFC4366 / RFC6066 */
# define TLSEXT_TYPE_server_name 0
# define TLSEXT_TYPE_max_fragment_length 1
# define TLSEXT_TYPE_client_certificate_url 2
# define TLSEXT_TYPE_trusted_ca_keys 3
# define TLSEXT_TYPE_truncated_hmac 4
# define TLSEXT_TYPE_status_request 5
还有一种使用客户端扩展的方法:
int SSL_CTX_add_client_custom_ext(SSL_CTX *ctx, unsigned int ext_type,
custom_ext_add_cb add_cb,
custom_ext_free_cb free_cb,
void *add_arg,
custom_ext_parse_cb parse_cb,
void *parse_arg);
我已经查看了OpenSSL源代码,TLSEXT\u TYPE\u client\u certificate\u url
仅在文件s\u cb.c
中用作回调支持:
void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type,
unsigned char *data, int len,
void *arg)
{
BIO *bio = arg;
char *extname;
switch(type)
{
case TLSEXT_TYPE_server_name:
extname = "server name";
break;
case TLSEXT_TYPE_client_certificate_url:
extname = "client certificate URL";
break;
(...)
default:
extname = "unknown";
break;
}
BIO_printf(bio, "TLS %s extension \"%s\" (id=%d), len=%d\n",
client_server ? "server": "client",
extname, type, len);
BIO_dump(bio, (char *)data, len);
(void)BIO_flush(bio);
}
当我搜索TLSEXT\u TYPE\u server\u name
时,我可以看到此标志的用法
文件t1_lib.c
unsigned char ssl_add_serverhello_tlsext(SSL s, unsigned char *buf,
unsigned char *limit)
{
int extdatalen = 0;
unsigned char *orig = buf;
unsigned char *ret = buf;
# ifndef OPENSSL_NO_NEXTPROTONEG
int next_proto_neg_seen;
# endif
/*
* don't add extensions for SSLv3, unless doing secure renegotiation
*/
if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
return orig;
ret += 2;
if (ret >= limit)
return NULL; / this really never occurs, but ... /
if (!s->hit && s->servername_done == 1
&& s->session->tlsext_hostname != NULL) {
if ((long)(limit - ret - 4) < 0)
return NULL;
s2n(TLSEXT_TYPE_server_name, ret);
s2n(0, ret);
unsigned char ssl\u add\u serverhello\u tlsext(ssl s,unsigned char*buf,
无符号字符*限制)
{
int extdatalen=0;
无符号字符*orig=buf;
无符号字符*ret=buf;
#ifndef OPENSSL\u否\u下一个协议
int next_proto_neg_seen;
#恩迪夫
/*
*不要为SSLv3添加扩展,除非进行安全的重新协商
*/
如果(s->version==SSL3\u version&&!s->s3->send\u connection\u binding)
返回原点;
ret+=2;
如果(ret>=限制)
return NULL;/n这实际上从未发生过,但是/
如果(!s->hit&&s->servername\u done==1
&&s->session->tlsext\u主机名!=NULL){
如果((长)(限值-ret-4)<0)
返回NULL;
s2n(TLSEXT类型服务器名称,ret);
s2n(0,ret);
这让我想到一点,即支持
TLSEXT\u-TYPE\u-server\u-name
扩展,但没有关于TLSEXT\u-TYPE\u-client\u-certificate\u-url
的明确信息。不,任何OpenSSL版本都不支持此扩展