Use the client hello session id to transmit the client identifier (!12) · Merge requests · OpenConnect VPN projects / OpenConnect

Nikos Mavrogiannopoulos requested to merge nmav/openconnect:tmp-oc-use-session-id into master Oct 06, 2018

Currently the openconnect (protocol) client uses a custom extension to provide information to the server on which session it was previously associated with. However, a private extension cannot be defined in IETF without going through a tedious standardization process involving the TLS working group. To avoid that process we should provide the client identifier on the DTLS session using alternative methods.

In TLS 1.3 (and DTLS) the session ID field was made obsolete, and as such we can use it to place the client identifier instead of an extension field. We can do it safely because (1) there is no session resumption -in the dtls1.2 or earlier sense- and (2) ocserv is already checking this field for that value due to the old protocol format.

Relates: https://github.com/openconnect/protocol/pull/1

Resolves #5 (closed)

Edited Oct 06, 2018 by Nikos Mavrogiannopoulos

Use the client hello session id to transmit the client identifier

Merge request reports