SSL::extensions¶
Description¶
Returns or manipulates SSL extensions.
Syntax¶
SSL::extensions
SSL::extensions count
SSL::extensions -index <extension number>
SSL::extensions -type <extension type value>
SSL::extensions exists -type <extension type value>
SSL::extensions insert <opaque extensions>
SSL::extensions¶
- Returns the extensions sent by the peer as a single opaque byte array.
- Valid in all SSL handshake events (those other than *SSL_DATA).
SSL::extensions -index <extension number>¶
- Returns the opaque extension byte array corresponding to the specified N-th (zero-indexed) extension.
SSL::extensions -type <extension type value>¶
- Returns the opaque extension byte array corresponding to the specified extension type value, or an empty string if not found.
- Returns only the first instance if the same extension type is present more than once.
SSL::extensions exists -type <extension type value>¶
- Returns 0 if no extension corresponding to the specified extension type value was provided, or non-zero if at least one such extension exists.
SSL::extensions insert <opaque extensions>¶
- Appends the opaque extension specified by a byte array to the set of extensions to send to the peer.
- Valid only in SERVERSSL_CLIENTHELLO_SEND and CLIENTSSL_CLIENTHELLO events.
- No validation of the extension is performed beyond checking that the encoded length matches the extension data.
Note: an byte array includes one or more encoded extension type, size,
and data.
Examples¶
when CLIENTSSL_HANDSHAKE {
log local0.info "CLIENTSSL_HANDSHAKE"
set ext_count [SSL::extensions count]
log local0.info "SSL::extensions count = $ext_count"
for {set i 0} {$i<$ext_count} {incr i} {
binary scan [SSL::extensions -index $i] S1S1H* ext_type ext_len ext
set ext_type [expr {$ext_type & 0xffff}]
set ext_len [expr {$ext_len & 0xffff}]
log local0.info "SSL extension #[expr {$i + 1}]: (type $ext_type len $ext_len) $ext"
}
binary scan [SSL::extensions] H* exts
log local0.info "SSL extensions: $exts"
set ext_exists [SSL::extensions exists -type 35]
log local0.info "SSL extension type 35 exists: $ext_exists"
if {$ext_exists} {
set scan [binary scan [SSL::extensions -type 35] S1S1H* ext_type ext_len ext]
set ext_type [expr {$ext_type & 0xffff}]
set ext_len [expr {$ext_len & 0xffff}]
log local0.info "SSL extension type 35: (scan $scan type $ext_type len $ext_len) $ext"
}
set ext_exists [SSL::extensions exists -type 0]
log local0.info "SSL extension type 0 exists: $ext_exists"
if {$ext_exists} {
set scan [binary scan [SSL::extensions -type 0] S1S1H* ext_type ext_len ext]
set ext_type [expr {$ext_type & 0xffff}]
set ext_len [expr {$ext_len & 0xffff}]
log local0.info "SSL extension type 0: (scan $scan type $ext_type len $ext_len) $ext"
}
}
Sample log output:
<CLIENTSSL_HANDSHAKE>: CLIENTSSL_HANDSHAKE
<CLIENTSSL_HANDSHAKE>: SSL::extensions count = 1
<CLIENTSSL_HANDSHAKE>: SSL extension #1: (type 65281 len 1) 00
<CLIENTSSL_HANDSHAKE>: SSL extensions: ff01000100
<CLIENTSSL_HANDSHAKE>: SSL extension type 35 exists: 0
<CLIENTSSL_HANDSHAKE>: SSL extension type 0 exists: 0
when CLIENTSSL_CLIENTHELLO {
set my_ext "Hello world!"
set my_ext_type 62965
SSL::extensions insert [binary format S1S1a* $my_ext_type [string length $my_ext] $my_ext]
}