[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Openssl in experimental: please test.

On Thu, Feb 14, 2008 at 12:30:07PM +0100, Marc Haber wrote:
> On Tue, 12 Feb 2008 20:54:26 +0100, Kurt Roeckx <kurt@roeckx.be>
> wrote:
> >I've uploaded openssl 0.9.8g-6 to experimental.  It adds support for TLS
> >extensions. 
> Does this include MAC Padding? If so, expect some interoperability
> issues with symbian-based mobile devices.

I guess you mean "random length MAC padding".  This change has
nothing to do with that.  They might add that at some point, and
I doubt it's going to compile time option changing the ABI.

This change is about:
  *) Add initial support for TLS extensions, specifically for the server_name
     extension so far.  The SSL_SESSION, SSL_CTX, and SSL data structures now
     have new members for a host name.  The SSL data structure has an
     additional member SSL_CTX *initial_ctx so that new sessions can be
     stored in that context to allow for session resumption, even after the
     SSL has been switched to a new SSL_CTX in reaction to a client's
     server_name extension.

     New functions (subject to change):


     New CTRL codes and macros (subject to change):

                                 - SSL_CTX_set_tlsext_servername_callback()
                                      - SSL_CTX_set_tlsext_servername_arg()
         SSL_CTRL_SET_TLSEXT_HOSTNAME           - SSL_set_tlsext_host_name()

     openssl s_client has a new '-servername ...' option.

     openssl s_server has new options '-servername_host ...', '-cert2 ...',
     '-key2 ...', '-servername_fatal' (subject to change).  This allows
     testing the HostName extension for a specific single host name ('-cert'
     and '-key' remain fallbacks for handshakes without HostName
     negotiation).  If the unrecogninzed_name alert has to be sent, this by
     default is a warning; it becomes fatal with the '-servername_fatal'

Anyway, it's been uploaded to unstable now.


Reply to: