Correctly handle client certificate custom extensions by mattcaswell · Pull Request #16634 · openssl/openssl

mattcaswell · 2021-09-20T14:01:27Z

Most extensions are initially sent in the ClientHello and then (optionally) responded to in subsequent messages from the server. However client Certificate messages work differently. In this case the initial extension is added to the server's CertificateRequest message, and the client then may (optionally) respond with the same extension in it's Certificate message.

This was not handled correctly for custom extensions meaning that it was not possible to add custom extensions to a client certificate message.

This should go to 3.0 and 1.1.1. It mostly cherry-picks ok to 1.1.1 but with a trivial conflict in the test. Since its trivial I won't create a separate PR for that branch.

Fixes #16632

Normally we expect a client to send new extensions in the ClientHello, which may be echoed back by the server in subsequent messages. However the server can also send a new extension in the certificate request message to be echoed back in a certificate message Fixes openssl#16632

Test the scenario where we add a custom extension to a cetificate request and expect a response in the client's certificate message.

paulidale · 2021-09-20T23:50:15Z

Good for all the branches.

t8m

OK for all branches.

openssl-machine · 2021-09-22T00:00:14Z

This pull request is ready to merge

Normally we expect a client to send new extensions in the ClientHello, which may be echoed back by the server in subsequent messages. However the server can also send a new extension in the certificate request message to be echoed back in a certificate message Fixes #16632 Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #16634)

Test the scenario where we add a custom extension to a cetificate request and expect a response in the client's certificate message. Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #16634)

Normally we expect a client to send new extensions in the ClientHello, which may be echoed back by the server in subsequent messages. However the server can also send a new extension in the certificate request message to be echoed back in a certificate message Fixes #16632 Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #16634) (cherry picked from commit cbb862f)

Test the scenario where we add a custom extension to a cetificate request and expect a response in the client's certificate message. Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #16634) (cherry picked from commit 0db3a99)

Normally we expect a client to send new extensions in the ClientHello, which may be echoed back by the server in subsequent messages. However the server can also send a new extension in the certificate request message to be echoed back in a certificate message Fixes #16632 Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #16634) (cherry picked from commit cbb862f)

Test the scenario where we add a custom extension to a cetificate request and expect a response in the client's certificate message. Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #16634) (cherry picked from commit 0db3a99)

mattcaswell · 2021-10-11T10:40:05Z

Pushed to master, 3.0 and 1.1.1

mattcaswell added 2 commits September 20, 2021 14:39

Extend custom extension testing

52d35b4

Test the scenario where we add a custom extension to a cetificate request and expect a response in the client's certificate message.

mattcaswell added branch: master Applies to master branch approval: review pending This pull request needs review by a committer branch: 1.1.1 Applies to OpenSSL_1_1_1-stable branch (EOL) branch: 3.0 Applies to openssl-3.0 branch labels Sep 20, 2021

mattcaswell mentioned this pull request Sep 20, 2021

Custom TLS1.3 Certificate Message Extension not working on client side #16632

Closed

paulidale approved these changes Sep 20, 2021

View reviewed changes

paulidale added approval: done This pull request has the required number of approvals and removed approval: review pending This pull request needs review by a committer labels Sep 20, 2021

t8m approved these changes Sep 21, 2021

View reviewed changes

t8m added the triaged: bug The issue/pr is/fixes a bug label Sep 21, 2021

openssl-machine removed the approval: done This pull request has the required number of approvals label Sep 22, 2021

openssl-machine added the approval: ready to merge The 24 hour grace period has passed, ready to merge label Sep 22, 2021

mattcaswell closed this Oct 11, 2021

dstebila pushed a commit to open-quantum-safe/openssl that referenced this pull request Mar 15, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Comments

Correctly handle client certificate custom extensions#16634

Correctly handle client certificate custom extensions#16634
mattcaswell wants to merge 2 commits intoopenssl:masterfrom
mattcaswell:cert-request-extensions

mattcaswell commented Sep 20, 2021

Uh oh!

paulidale commented Sep 20, 2021

Uh oh!

t8m left a comment

Uh oh!

openssl-machine commented Sep 22, 2021

Uh oh!

mattcaswell commented Oct 11, 2021

Uh oh!

Uh oh!

Comments

Conversation

mattcaswell commented Sep 20, 2021

Uh oh!

paulidale commented Sep 20, 2021

Uh oh!

t8m left a comment

Choose a reason for hiding this comment

Uh oh!

openssl-machine commented Sep 22, 2021

Uh oh!

mattcaswell commented Oct 11, 2021

Uh oh!