Darn... It turns out: OpenSSL does have the feature: v3_tlsf.c, but it only exists in the master repository as far as I can tell.. (v3_tlsf.c @ 1.0.2-stable = 404)
Now, as I am not running some mission critical server here and I'm running Gentoo, it's actually quite easy to compile Ɣnd maintain a piece of software directly from Git. Actually, my current OpenSSL is the 1.0.2-stable branch directly from Git, because 1.0.2d was missing a feature I wanted
But I was wondering: how do you think of running bleeding edge security software like OpenSSL directly from Git? Could it actually be mĆ³re safe, because some bugs might be patched sooner? Or do the costs outweigh the benefits?
I guess thatās a way to force something into your CSR Didnāt know that āfeatureā
But also very interesting! Iād like to know how one comes to the DER encoded value of status_request? I can see it in the commit, but where does it come from?
Iāve already found the X.690: ASN.1 encoding rules, which would suggest itās a BIT STRING (0x03) of length 3 (0x03) with contents 0x020105. The 0x02 identifies the āunused bits in the final subsequent octetā. Visual example: BIT STRING (Yes, from Microsoft, but hey, visual, so easy to understand ) Euuuh, butā¦ 0x05ā¦ Thatās 101bā¦ That doesnāt make any senseā¦ 3003020104 would be equal. Proof: https://lapo.it/asn1js/#0303020104 and https://lapo.it/asn1js/#0303020105 give the same result: BIT STRING(14 bit) 00000001000001 How does one arrive at the 3003020105 sequence? Google didnāt give me much resultsā¦
On that question, I'm not in favor of running the latest bleeding edge code. There's always a chance of a major issue in function let alone security. As OpenSSL is used by many system components, it's also one of those things you want stable and that will necessitate a lot of recompilation when changed. As a sysadmin, the very last thing I want is an OpenSSL upgrade leading to an unbootable system or having to re-build a lot of core system packages because the ABI has changed.
For me, this is one of those things where absent very specific circumstances the risks far outweigh the benefits.
Unbootable system b/c of a OpenSSL upgrade? How on earth would you get that?
But indeed, thereās most certainly the issue of breakageā¦ Unfortunately, Iāve got no clue if OpenSSLās ABI has changed significantly between 1.0.2. and 1.1.0ā¦
Oh, BTW, @selecadm: In the GitHub commit it says: 0303020105 and you say: 3003020105ā¦ Typo? Even so, still wondering where that value exactly comes fromā¦
Guess your version (30ā¦) was correct: Iāve installed the master repository from GitHub (yes, Iām stubborn ) and it returns:
TLS Feature:
status_request
The 03-version results in:
TLS Feature:
.....
Nice, I understand the DER-encoding now: 0x30: Universal, Constructed content of the SEQUENCE or SEQUENCE OF type. 0x03: length of constructed content = 3. 0x02 = type of content (INTEGER), 0x01 = length (1), 0x05 = value (5 = āstatus_requestā).