Welcome! Log In Create A New Profile

Advanced

OpenSSL and per-context option problem

Posted by Thierry Fournier 
Thierry Fournier
OpenSSL and per-context option problem
September 15, 2018 06:20PM
Hi,

I tried to use per-context options, in order to enable HTTP2 for a short
list of SNI. I just add lines like this:

/certif1.pem [alpn h2,http/1.1] my-h2-host.com
/certif2.pem my-other-host.com

This configuration works fine on debian 8 with OpenSSL 1.0.2g, and doesn’t
work on Ubuntu 16.04 with OpenSSL 1.0.2l.

I compile the OpenSSL debian package 1.0.2g on Ubuntu, and the feature is
enabled.

My conclusion, is that some version of OpenSSL doesn’t support all per-context
options.

Do you have an opinion ?

If my conclusion was right, maybe a warning during the SSL configuration
parser execution would be a good idea ?

BR,
Thierry
Emmanuel Hocdet
Re: OpenSSL and per-context option problem
September 17, 2018 12:50PM
Hi Thierry,

> Le 15 sept. 2018 à 18:06, Thierry Fournier <[email protected]> a écrit :
>
> Hi,
>
> I tried to use per-context options, in order to enable HTTP2 for a short
> list of SNI. I just add lines like this:
>
> /certif1.pem [alpn h2,http/1.1] my-h2-host.com
> /certif2.pem my-other-host.com
>
> This configuration works fine on debian 8 with OpenSSL 1.0.2g, and doesn’t
> work on Ubuntu 16.04 with OpenSSL 1.0.2l.
>
> I compile the OpenSSL debian package 1.0.2g on Ubuntu, and the feature is
> enabled.
>
> My conclusion, is that some version of OpenSSL doesn’t support all per-context
> options.
>
> Do you have an opinion ?
>

Are you sure it's not the opposite: doesn't work with 1.0.2g?

"Major changes between OpenSSL 1.0.2g and OpenSSL 1.0.2h [3 May 2016]

Modify behavior of ALPN to invoke callback after SNI/servername callback, such that updates to the SSL_CTX affect ALPN. »

++
Manu
Thierry Fournier
Re: OpenSSL and per-context option problem
September 17, 2018 01:00PM

Thierry Fournier
Web Performance & Security Expert
m: +33 6 68 69 21 85 | e: thierry.fournier@ozon.io
w: http://www.ozon.io/ | b: http://blog.ozon.io/

> On 17 Sep 2018, at 12:45, Emmanuel Hocdet <[email protected]> wrote:
>
>
> Hi Thierry,
>
>> Le 15 sept. 2018 à 18:06, Thierry Fournier <[email protected] <mailto:[email protected]>> a écrit :
>>
>> Hi,
>>
>> I tried to use per-context options, in order to enable HTTP2 for a short
>> list of SNI. I just add lines like this:
>>
>> /certif1.pem [alpn h2,http/1.1] my-h2-host.com http://my-h2-host.com/
>> /certif2.pem my-other-host.com http://my-other-host.com/
>>
>> This configuration works fine on debian 8 with OpenSSL 1.0.2g, and doesn’t
>> work on Ubuntu 16.04 with OpenSSL 1.0.2l.
>>
>> I compile the OpenSSL debian package 1.0.2g on Ubuntu, and the feature is
>> enabled.
>>
>> My conclusion, is that some version of OpenSSL doesn’t support all per-context
>> options.
>>
>> Do you have an opinion ?
>>
>
> Are you sure it's not the opposite: doesn't work with 1.0.2g?
>
> "Major changes between OpenSSL 1.0.2g and OpenSSL 1.0.2h [3 May 2016]
>
> Modify behavior of ALPN to invoke callback after SNI/servername callback, such that updates to the SSL_CTX affect ALPN. »
>
Sorry, I mix versions. The following is the reality:

OpenSSL 1.0.2l 25 May 2017 => works
OpenSSL 1.0.2g 1 Mar 2016 => doesn’t work.

The change explain the observed behavior !

br,
Thierry
Sorry, only registered users may post in this forum.

Click here to login