On Tue, Jan 31, 2006 at 09:00:04PM +0100, Dr. Stephen Henson wrote:

> As has happened previously the functionality in the HEAD is not set in stone
> and may be subject to change.
> I'm aware of the 0.9.9 TLS extension efforts but I'm not currently actively
> involved with them. I have a shed load of other things to do.

It looks like the current implementation is going more towards adding
each TLS extension as a separate implementation whereas the patch that
wpa_supplicant is using for EAP-FAST support has a more generic
mechanism that allows arbitrary TLS extensions to be added to
ClientHello without having to modify OpenSSL for each new type.

Current CVS HEAD includes support for servername and host_name
extensions. EAP-FAST is using PAC-Opaque extension, so it would need
additional code to add that into the ClientHello. This would likely be
something similar to the way setting host_name extension is done.

Before starting to port the patch I've used with OpenSSL 0.9.8 to 0.9.9,
I would like to get a better understanding on the desired design for TLS
extensions and to find out whether someone else is working on
implementing additional extensions at the moment. Is the current design
of separate implementation without generic support for arbitrary
extensions the preferred way of doing this (i.e., is it likely to remain
in 0.9.9)? CHANGES file is marking most of the TLS extension code with
"subject to change".

If separate implementation is desired, it would probably be a
combination of adding the PAC-Opaque extension (a.k.a. SessionTicket TLS
extension) and taking care of a callback for fetching pre-shared secret
for session resumption.

Jouni Malinen PGP id EFC895FA
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org