Re: How to reject a certificate with access_denied?
On 07/06/2022 13:46, Michael Richardson wrote: Matt Caswell wrote: > On 06/06/2022 18:08, Christian Schmidt wrote: >> Hi, >> I am building a server application that allows a user to log in by >> providing a certificate. In order to do custom checks, I have added a >> verify callback to my code to check the certificate on top of its >> cryptographic features (CA Valid, etc). >> If the certificate does not pass my extended checks, I would like to >> return the access_denied alert as per RFC8446 section 6.2: >> access_denied: A valid certificate or PSK was received, but when >> access control was applied, the sender decided not to proceed with >> negotiation. >> However, I can't find a way to generate this alert in openssl, although >> openssl can handle receiving it. >> How do I make a callback return a non-defined (as in not defined in the >> headers) alert? > This is not currently possible. > OpenSSL has an internal table which maps verify errors to TLS alerts: > https://github.com/openssl/openssl/blob/9f3626f2473bdce53e85eba96e502e950e29e16f/ssl/statem/statem_lib.c#L1350-L1394 > Unfortunately there are no entries in this table that map to the > access_denied alert. Would extensions to this list be welcome? Should Christian send a PR? I would be happy to review such a PR - although it would only be applied to master and not 3.0 or 1.1.1. Any PR could only be in the form of additions to the table (not modifications to existing entries), so as not to break existing behaviour. Matt
Re: How to reject a certificate with access_denied?
Matt Caswell wrote: > On 06/06/2022 18:08, Christian Schmidt wrote: >> Hi, >> I am building a server application that allows a user to log in by >> providing a certificate. In order to do custom checks, I have added a >> verify callback to my code to check the certificate on top of its >> cryptographic features (CA Valid, etc). >> If the certificate does not pass my extended checks, I would like to >> return the access_denied alert as per RFC8446 section 6.2: >> access_denied: A valid certificate or PSK was received, but when >> access control was applied, the sender decided not to proceed with >> negotiation. >> However, I can't find a way to generate this alert in openssl, although >> openssl can handle receiving it. >> How do I make a callback return a non-defined (as in not defined in the >> headers) alert? > This is not currently possible. > OpenSSL has an internal table which maps verify errors to TLS alerts: > https://github.com/openssl/openssl/blob/9f3626f2473bdce53e85eba96e502e950e29e16f/ssl/statem/statem_lib.c#L1350-L1394 > Unfortunately there are no entries in this table that map to the > access_denied alert. Would extensions to this list be welcome? Should Christian send a PR?
Re: How to reject a certificate with access_denied?
On 06/06/2022 18:08, Christian Schmidt wrote: Hi, I am building a server application that allows a user to log in by providing a certificate. In order to do custom checks, I have added a verify callback to my code to check the certificate on top of its cryptographic features (CA Valid, etc). If the certificate does not pass my extended checks, I would like to return the access_denied alert as per RFC8446 section 6.2: access_denied: A valid certificate or PSK was received, but when access control was applied, the sender decided not to proceed with negotiation. However, I can't find a way to generate this alert in openssl, although openssl can handle receiving it. How do I make a callback return a non-defined (as in not defined in the headers) alert? This is not currently possible. OpenSSL has an internal table which maps verify errors to TLS alerts: https://github.com/openssl/openssl/blob/9f3626f2473bdce53e85eba96e502e950e29e16f/ssl/statem/statem_lib.c#L1350-L1394 Unfortunately there are no entries in this table that map to the access_denied alert. Matt
