我尝试确定OpenSSL库是否支持Client Certificate URLs from RFC 4366。我在OpenSSL文档中找不到任何信息。
在文件tls.h中,我可以看到以下定义:
/* ExtensionType values from RFC3546 / RFC4366 / RFC6066 */
# define TLSEXT_TYPE_server_name 0
# define TLSEXT_TYPE_max_fragment_length 1
# define TLSEXT_TYPE_client_certificate_url 2
# define TLSEXT_TYPE_trusted_ca_keys 3
# define TLSEXT_TYPE_truncated_hmac 4
# define TLSEXT_TYPE_status_request 5
还有一种使用客户端扩展的方法:
int SSL_CTX_add_client_custom_ext(SSL_CTX *ctx, unsigned int ext_type,
custom_ext_add_cb add_cb,
custom_ext_free_cb free_cb,
void *add_arg,
custom_ext_parse_cb parse_cb,
void *parse_arg);
我查看了OpenSSL源代码,TLSEXT_TYPE_client_certificate_url仅在文件s_cb.c中用作回调支持:
void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type,
unsigned char *data, int len,
void *arg)
{
BIO *bio = arg;
char *extname;
switch(type)
{
case TLSEXT_TYPE_server_name:
extname = "server name";
break;
case TLSEXT_TYPE_client_certificate_url:
extname = "client certificate URL";
break;
(...)
default:
extname = "unknown";
break;
}
BIO_printf(bio, "TLS %s extension \"%s\" (id=%d), len=%d\n",
client_server ? "server": "client",
extname, type, len);
BIO_dump(bio, (char *)data, len);
(void)BIO_flush(bio);
}
当我搜索TLSEXT_TYPE_server_name时,我可以看到有这个标志的用法
文件t1_lib.c
unsigned char ssl_add_serverhello_tlsext(SSL s, unsigned char *buf,
unsigned char *limit)
{
int extdatalen = 0;
unsigned char *orig = buf;
unsigned char *ret = buf;
# ifndef OPENSSL_NO_NEXTPROTONEG
int next_proto_neg_seen;
# endif
/*
* don't add extensions for SSLv3, unless doing secure renegotiation
*/
if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
return orig;
ret += 2;
if (ret >= limit)
return NULL; / this really never occurs, but ... /
if (!s->hit && s->servername_done == 1
&& s->session->tlsext_hostname != NULL) {
if ((long)(limit - ret - 4) < 0)
return NULL;
s2n(TLSEXT_TYPE_server_name, ret);
s2n(0, ret);
这让我想到了TLSEXT_TYPE_server_name扩展程序的支持,但没有关于TLSEXT_TYPE_client_certificate_url的明确信息。
答案 0 :(得分:1)
不,任何OpenSSL版本都不支持此扩展。