4 Commits

Author	SHA1	Message	Date
William Lallemand	ed9b8fec49	BUG/MEDIUM: ssl: AWS-LC + TLSv1.3 won't do ECDSA in RSA+ECDSA configuration ... SSL_get_ciphers() in AWS-LC seems to lack the TLSv1.3 ciphersuites, which break the ECDSA key selection when doing TLSv1.3. An issue was opened https://github.com/aws/aws-lc/issues/1638 Indeed, in ssl_sock_switchctx_cbk(), the sigalgs is used to determine if ECDSA is doable or not, then the function compares the list of ciphers in the clienthello with the list of configured ciphers. The fix solves the issue by never skipping the TLSv1.3 ciphersuites, even if they are not in SSL_get_ciphers().	2024-06-17 17:40:49 +02:00
William Lallemand	7120c77b14	MEDIUM: ssl: support for ECDA+RSA certificate selection with AWS-LC ... AWS-LC does not support the SSL_CTX_set_client_hello_cb() function from OpenSSL which allows to analyze ciphers and signatures algorithm of the ClientHello. However it supports the SSL_CTX_set_select_certificate_cb() which allows the same thing but was the implementation from the boringSSL side. This patch uses the SSL_CTX_set_select_certificate_cb() as well as the SSL_early_callback_ctx_extension_get() function to get the signature algorithms. This was successfully tested with openssl s_client as well as testssl.sh. This should allow to enable more reg-tests that depend on certificate selection. Require at least AWS-LC 1.22.0.	2024-06-13 19:36:40 +02:00
William Lallemand	5149cc4990	BUILD: ssl: fix build with wolfSSL ... fix build with wolfSSL, broken since the reorg in src/ssl_clienthello.c	2024-06-13 17:01:45 +02:00
William Lallemand	4ced880d22	REORG: ssl: move the SNI selection code in ssl_clienthello.c ... Move the code which is used to select the final certificate with the clienthello callback. ssl_sock_client_sni_pool need to be exposed from outside ssl_sock.c	2024-06-13 16:48:17 +02:00