search

libressl / openbsd

Source code pulled from OpenBSD for LibreSSL - this includes most of the library and supporting code. The place to contribute to this code is via the OpenBSD CVS tree. Please mail patches to tech@openbsd.org, instead of submitting pull requests, since this tree is often rebased.
231 stars 92 forks source link

Support "SSL_CTX_add_server_custom_ext" #55

Open fancycode opened 9 years ago

fancycode commented 9 years ago

It would be nice if LibreSSL could support SSL_CTX_add_server_custom_ext which is required for example in the nginx-ct module to enable certificate transparency.

I know that LibreSSL was forked from OpenSSL 1.0.1 and the feature was added in 1.0.2 - are there any plans to backport this?

4a6f656c commented 9 years ago

Not immediately - there is a fair amount of work required to support this. Additionally, adding the ability to inject and handle custom TLS extensions raises some concerns regarding attack surface. That said, since you've pointed out an actual use case take a closer look and see if there is a middle ground.

gbilic commented 8 years ago

BoringSSL introduced SSL_CTX_set_signed_cert_timestamp_list function to specifically handle signed certificate timestamps, my fork of nginx-ct makes use of it.

fancycode commented 8 years ago

@gbilic thanks, unfortunately LibreSSL also doesn't support SSL_CTX_set_signed_cert_timestamp_list

thefangbear commented 8 years ago

I would also like Libressl to add this function.

technion commented 7 years ago

Just to update with a specific use case, see build notes here:

https://github.com/grahamedgecombe/nginx-ct

4a6f656c commented 6 years ago

While we're now in a position where we could consider adding this, it would require a reasonable amount of additional code and complexity to support.

Is anyone aware of any valid use case for SSL_CTX_add_{,client,server}_custom_ext() outside of nginx-ct? If not, providing SSL_CTX_set_signed_cert_timestamp_list() is likely far preferable...