SSL Client Hello Unrecognized Custom Extensions

[Jordi Escudero]

Hello,
I am trying to use custom extensions for the clienthello message with the "ngx.ssl.clienthello" module but I find that the Openssl library it uses internally limits unrecognized extensions.

Is there an example of using a custom extension for this module? Currently it uses the extension 0 which is the name of the server and this has no limitations.

Any hint on this topic would be appreciated :D
Thank you

[Junlong li]

I think it is better to show the code you have tried now.

Can you get the ext by get_client_hello_ext ?

[Jordi Escudero]

Hello,
the problem is using an extension that is not registered and it seems to me that the openssl library is filtering it...

Maybe is necessary to register the extension on the server side ... I'm using this example but with openresty as a server.

https://aticleworld.com/ssl-server-client-using-openssl-in-c/

Regards

[solomon]

Hi,

Is the client actually sending the custom extension? `get_client_hello_ext` only gets the raw data of the specified extension if it is present.
To add a custom extension on the client side, you may need to use `SSL_CTX_add_custom_ext` if the client uses OpenSSL as well.

For detail about this API, please refer to the official doc. https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_add_custom_ext.html

Jordi Escudero <jordi.e...@gmail.com> 于2022年11月29日周二 23:41写道：

--
You received this message because you are subscribed to the Google Groups "openresty-en" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openresty-en...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/openresty-en/93d5c48c-f0f6-46a9-a8d9-136105b7deb2n%40googlegroups.com.