Re: TLS-1.3 Certificate Authorities implementation and testing

[Viktor Dukhovni]

On Mon, Sep 02, 2019 at 06:49:40PM +0200, Alexandre Schaff wrote:

> serverside :  'openssl s_server' using certfile which has 2 root-CA+cert
> (certA and certB)  and keyfile which has both secrets.

The s_server application loads just one certificate chain from its
certFile, and just one key from its keyfile.  This happens before
any interaction with the TLS client.  The test as described is not
useful to discern whether or not OpenSSL supports certificate
selection based on the client's certificate selection hints.

AFAIK, any certificate selection logic needs to go in a suitable
callback, since the SSL_CTX can only store one key per algorithm,
and so certificate selection requires callbacks to instantiate a
per-connection context (as with SNI).

So perhaps your answer is that the OpenSSL library does not presently
provide built-in facilities for client-hint-based certificate
selection, beyond what you get by negotiating a shared signature
algorithm.

-- 
Viktor.

TLS-1.3 Certificate Authorities implementation and testing

[Alexandre Schaff]

Hello,
Sorry if question has already been asked, I saw
https://github.com/openssl/openssl/issues/3029 .
Issue#3029 is a mixed discussion on both tls-1.2 extension "trusted CA
indication" (rfc6066#section-6) and TLS-1.3 "Certificate Authorities", thus
conclusion is unclear.

tests done :
openssl version used : openssl-1.1.1a
client : "openssl s_client ... -requestCAfile .." ; tls extension in client
Hello is present.
serverside :  'openssl s_server' using certfile which has 2 root-CA+cert
(certA and certB)  and keyfile which has both secrets.

Whatever the client sends in Certificate Authorities, s_server chooses the
first leaf certificate found within certfile.

Questions : is rfc8446#section-4.2.4 is not mandatory featuyre of tls-1.3.
Does openssl iimplements it fully ? If yes, how to test ?

br,
Alexandre.