Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CA callback not called in TLS 1.3 #7079

Closed
gilles-peskine-arm opened this issue Feb 10, 2023 · 4 comments
Closed

CA callback not called in TLS 1.3 #7079

gilles-peskine-arm opened this issue Feb 10, 2023 · 4 comments
Assignees
@ronald-cron-arm
Labels
bug component-tls13 size-s Estimated task size: small (~2d)

Comments

@gilles-peskine-arm
Copy link
Contributor

gilles-peskine-arm commented Feb 10, 2023
edited
Loading

Configuring a CA callback with mbedtls_ssl_conf_ca_cb() has no effect in TLS 1.3. This is not documented as a limitation, and there is no reason not to support it. See #7075 (comment)

The goal of this task is to support a CA callback in TLS 1.3, the same way as in TLS 1.2.

This should be tested both from the server side and the client side.
@gilles-peskine-arm gilles-peskine-arm mentioned this issue Feb 10, 2023
Closed
@ronald-cron-arm ronald-cron-arm self-assigned this Feb 15, 2023
@gilles-peskine-arm
Copy link
Contributor Author

Related: TLS currently doesn't support the X.509 certificate extension callback (only available via mbedtls_x509_crt_parse_der_with_ext_cb). Whatever method we add to make it support this, should work both for TLS 1.2 and TLS 1.3.

@ronald-cron-arm ronald-cron-arm mentioned this issue Dec 5, 2023
Closed
@ronald-cron-arm ronald-cron-arm added the size-s Estimated task size: small (~2d) label Dec 19, 2023
@ronald-cron-arm ronald-cron-arm mentioned this issue Dec 21, 2023
Merged
3 tasks
@adambvidex
Copy link

Is there a workaround for this bug? Our product requires it because the CA database cannot fit in RAM of the embedded device.

@ronald-cron-arm ronald-cron-arm mentioned this issue Apr 3, 2024
Closed
4 tasks
@ronald-cron-arm
Copy link
Contributor

Is there a workaround for this bug? Our product requires it because the CA database cannot fit in RAM of the embedded device.

#9002 fixes this issue.

@wyattoday wyattoday mentioned this issue Apr 16, 2024
Closed
@gilles-peskine-arm gilles-peskine-arm mentioned this issue Jun 3, 2024
Closed
@ronald-cron-arm
Copy link
Contributor

Closing this issue as we have rather decided to address this more generally with #9018.

@minosgalanakis minosgalanakis moved this to 3.6.1 patch release in Mbed TLS Epics Aug 2, 2024
@mpg mpg mentioned this issue Aug 9, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ronald-cron-arm ronald-cron-arm

Labels
bug component-tls13 size-s Estimated task size: small (~2d)
Projects
Mbed TLS Epics
Status: 3.6.1 patch release
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

TLS 1.3: Add support for trusted certificate callback ronald-cron-arm/mbedtls
3 participants
@gilles-peskine-arm @ronald-cron-arm @adambvidex