SSL::extensions

Description

Returns or manipulates SSL extensions.

Syntax

SSL::extensions
SSL::extensions count
SSL::extensions -index <extension number>
SSL::extensions -type <extension type value>
SSL::extensions exists -type <extension type value>
SSL::extensions insert <opaque extensions>

SSL::extensions

  • Returns the extensions sent by the peer as a single opaque byte array.
  • Valid in all SSL handshake events (those other than *SSL_DATA).

SSL::extensions count

  • Returns the number of extensions received.

SSL::extensions -index <extension number>

  • Returns the opaque extension byte array corresponding to the specified N-th (zero-indexed) extension.

SSL::extensions -type <extension type value>

  • Returns the opaque extension byte array corresponding to the specified extension type value, or an empty string if not found.
  • Returns only the first instance if the same extension type is present more than once.

SSL::extensions exists -type <extension type value>

  • Returns 0 if no extension corresponding to the specified extension type value was provided, or non-zero if at least one such extension exists.

SSL::extensions insert <opaque extensions>

  • Appends the opaque extension specified by a byte array to the set of extensions to send to the peer.
  • Valid only in SERVERSSL_CLIENTHELLO_SEND and CLIENTSSL_CLIENTHELLO events.
  • No validation of the extension is performed beyond checking that the encoded length matches the extension data.

Note: an byte array includes one or more encoded extension type, size, and data.

Examples

when CLIENTSSL_HANDSHAKE {
    log local0.info "CLIENTSSL_HANDSHAKE"
    set ext_count [SSL::extensions count]
    log local0.info "SSL::extensions count = $ext_count"

    for {set i 0} {$i<$ext_count} {incr i} {
        binary scan [SSL::extensions -index $i] S1S1H* ext_type ext_len ext
        set ext_type [expr {$ext_type & 0xffff}]
        set ext_len [expr {$ext_len & 0xffff}]
        log local0.info "SSL extension #[expr {$i + 1}]: (type $ext_type len $ext_len) $ext"
    }

    binary scan [SSL::extensions] H* exts
    log local0.info "SSL extensions: $exts"

    set ext_exists [SSL::extensions exists -type 35]
    log local0.info "SSL extension type 35 exists: $ext_exists"
    if {$ext_exists} {
        set scan [binary scan [SSL::extensions -type 35] S1S1H* ext_type ext_len ext]
        set ext_type [expr {$ext_type & 0xffff}]
        set ext_len [expr {$ext_len & 0xffff}]
        log local0.info "SSL extension type 35: (scan $scan type $ext_type len $ext_len) $ext"
    }

    set ext_exists [SSL::extensions exists -type 0]
    log local0.info "SSL extension type 0 exists: $ext_exists"
    if {$ext_exists} {
        set scan [binary scan [SSL::extensions -type 0] S1S1H* ext_type ext_len ext]
        set ext_type [expr {$ext_type & 0xffff}]
        set ext_len [expr {$ext_len & 0xffff}]
        log local0.info "SSL extension type 0: (scan $scan type $ext_type len $ext_len) $ext"
    }
}

Sample log output:
<CLIENTSSL_HANDSHAKE>: CLIENTSSL_HANDSHAKE
<CLIENTSSL_HANDSHAKE>: SSL::extensions count = 1
<CLIENTSSL_HANDSHAKE>: SSL extension #1: (type 65281 len 1) 00
<CLIENTSSL_HANDSHAKE>: SSL extensions: ff01000100
<CLIENTSSL_HANDSHAKE>: SSL extension type 35 exists: 0
<CLIENTSSL_HANDSHAKE>: SSL extension type 0 exists: 0

when CLIENTSSL_CLIENTHELLO {
    set my_ext "Hello world!"
    set my_ext_type 62965
    SSL::extensions insert [binary format S1S1a* $my_ext_type [string length $my_ext] $my_ext]
}