enable DTLS negotiation
David Woodhouse
dwmw2 at infradead.org
Fri Sep 16 06:53:51 PDT 2016
On Fri, 2016-09-16 at 15:07 +0200, Nikos Mavrogiannopoulos wrote:
> Ok. For openconnect client it would be fairly easy to handle this,
> only send an extension with fairly static data, as it only sends a
> username.
Just checking... the idea is to put the client identifier here; the hex
string which we're *currently* using in the session-id. Not the hard-
coded "psk" string which we currently send as PSK identity. That would
be kind of pointless :)
> However, there is a catch, we should do that for both
> openssl and gnutls. Ocserv would require to be able to parse the TLS
> client hello since the extension data are in variable positions,
> however that shouldn't be really hard. I could do the ocserv part and
> the gnutls part if you do the openssl part :)
Yeah, I can register custom SSL extensions with OpenSSL too.
> > (Actually, let's not use 'PSK-NEGOTIATE' since we currently use it to
> > mean something else. Let's call them... 'PSK-IDENTITY-01' and then
> > maybe in the future 'PSK-IDENTITY-RFCxxxx' Or something like that.)
>
> Let's not change it yet. Since we are experimenting let's keep it for
> the current version of the protocol, and if we need again we change
> it.
OK.
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5760 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20160916/46a0360b/attachment.bin>
More information about the openconnect-devel
mailing list