Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Returning SSL_TLSEXT_ERR_NOACK from SSL_CTX_set_tlsext_servername_callback doesn't stop sending #1099

Open
d3x0r opened this issue Sep 30, 2024 · 0 comments

Comments

@d3x0r
Copy link
Contributor

d3x0r commented Sep 30, 2024

(3.9.2)

I don't yet have a simple test case of this.

I was enabling TLS on some TCP sockets. I realized I was sort of leaking valid server names if I don't check the requested server name, and fail if it's not part of the certificate... so I started checking on the name given in the initial request. If I didn't find the name in the list, then I return SSL_TLSEXT_ERR_NOACK, and setup some other conditions on my internal state...
When the SSL_do_handshake() returns, there is control data available to send ... which apparently includes the certificate.

I was testing against my TCP service using a browser, and deliberately sending bad hostnames... in the browser I got back an error more like 'common name not correct in certificate'... which means it got back the certificate, even though I said NOACK.... I did set a flag noHost internally, and if there is a noHost status and there's data to send, I don't send the data now, and the browser doesn't get the certificate; and now just indicates connection_closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant