BedrockFramework icon indicating copy to clipboard operation
BedrockFramework copied to clipboard

Published 20 hours ago verified publisher icon davidfowl

Implement OpenSSL based TLS support

Open davidfowl opened this issue 4 years ago • 6 comments

Details here need to be fleshed out and I'm going to lean on @Drawaes to help flesh this out and break it down into work items. Ideally we'd have several parsers for various parts of the pipeline (handshake writer and reader etc).

  • [ ] - ClientHelloMessageReader - This will parse the client hello message
  • [ ] - ClientHelloMessageWriter - This will write the client hello message

davidfowl avatar Jan 15 '20 04:01 davidfowl

Parts needed off the top of my head

Protocol Version Parser (to figure out which version of the protocol is going to be used)

Record (R/W) RecordType RecordHeader

Main record types that need to be handled

ChangeCipherSpec Alert Handshake Application

Then within the handshake there is handshake framing (so another R/W) with a header and type.

Message types in there are

client_hello - 1, server hello - 2, new session ticket - 4, end of early_data - 5, hello retry_request 6, encrypted extensions - 8, certificate - 11, Server Key Exchange = 12, certificate request - 13, server hello done = 14, certificate verify - 15, client key exchange - 16, finished - 20, key update -24,

Drawaes avatar Jan 16 '20 15:01 Drawaes

How much can we leverage from dotnet to implement this? I assume the main difference will be exposing Pipe apis vs Stream apis?

jkotalik avatar Jan 16 '20 19:01 jkotalik

@jkotalik I think there are different layers here:

  • The various parsers for message types (or single parser for multiple message types)
  • The crypto interface
  • The end to end usage of it (Pipe and Stream using them above primitives to do the end to end)

davidfowl avatar Jan 16 '20 19:01 davidfowl

There are a few questions here to answer. Are you wanting to do all of the protocol handling in OpenSsl and make a simple PInvoke layer (ala Sslstream) or something slightly more ambitious (ala go, Java etc) where you have the protocol handling in managed code with maybe just the crypto handled in OpenSsl (with it built to be able to swap the crypto implementations). My preference is the second the first is somewhat boring 😴.

Drawaes avatar Jan 16 '20 19:01 Drawaes

I prefer the latter. I'd like the crypto to be an abstraction though not baked to use open ssl.

davidfowl avatar Jan 16 '20 21:01 davidfowl

Hello guys, are the functions involved in this issue still under development? I hope to implement the message type of new session ticket during handshake, but sslsteam does not seem to use this message type. Is there any other way

dannyshenl avatar Jul 30 '21 05:07 dannyshenl