Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-50736

Make OpenSSL explicitly accept SNIs presented in ClientHello

    XMLWordPrintable

    Details

    • Backwards Compatibility:
      Fully Compatible
    • Operating System:
      ALL
    • Backport Requested:
      v4.7, v4.4, v4.2, v4.0, v3.6
    • Sprint:
      Security 2020-09-21

      Description

      It appears the OS X shell can provide Session IDs in its TLS 1.2 handshake, which enable session resumption. This might interact with the server's understanding of SNIs.

      OpenSSL's SSL_get_servername method extracts the SNI for us, and is defined by the documentation to behave thus:

      On the server, after the servername extension has been processed and a TLSv1.2 (or below) resumption did not occur

      The function will return the servername requested by the client in this handshake or NULL if none was requested.

      So, after accepting a connection attempt, SSL_get_servername will return the name the client requested. But later:

      On the server, after the servername extension has been processed and a TLSv1.2 (or below) resumption occurred

      If a servername was accepted by the server in the original handshake then it will return that servername, or NULL otherwise.

      This means that OpenSSL ignores the second connection attempt's advertised SNI, in favor of the original... if the original connection's SNI was "accepted". SNIs can be accepted in an application provided callback, which we don't set. We probably need to define a callback to accept the client's SNI, so that we consistently see an SNI across all connections, whether or not they are resumed.

      This can be done by using the SSL_CTX_set_tlsext_servername_callback function.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              spencer.jackson Spencer Jackson
              Reporter:
              spencer.jackson Spencer Jackson
              Participants:
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: