s2n-tls icon indicating copy to clipboard operation
s2n-tls copied to clipboard

Published 20 hours ago verified publisher icon aws

[RFC 6962] s2n Client can Validate Signed Certificate Timestamp TLS Extension

Open alexw91 opened this issue 8 years ago • 2 comments
trafficstars

RFC: https://tools.ietf.org/html/rfc6962

Right now the s2n Client can request and accept SCT TLS Extensions, but does not validate the extension.

Function s2n_recv_server_sct_list() in s2n_server_extensions.c conn->ct_response is never validated before being copied to the connection struct.

alexw91 avatar Mar 21 '17 16:03 alexw91

i'm working on a PR which will add an extension callback which can be invoked for a specific extension, and it will pass in the data from the peer. this can be used to validate OCSP, SCT and potentially other data.

baldwinmatt avatar Mar 21 '17 16:03 baldwinmatt

I think most certificates today have SCT embedded into X509, so would be nice to validate those too. Not sure if this should be part of this story or a separate one.

xonatius avatar Mar 09 '21 17:03 xonatius