Skip to content

TLS 1.3 certificate_authorities extension in ClientHello #527

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Oct 6, 2025
Merged

TLS 1.3 certificate_authorities extension in ClientHello #527

merged 5 commits into from
Oct 6, 2025

Conversation

mattia-moffa
Copy link
Contributor

This adds an example for the TLS 1.3 certificate_authorities extension in ClientHello.

This was newly implemented in wolfSSL/wolfssl#9209. Should wait for that to be merged before this.

Copilot
Copilot AI reviewed Sep 25, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds example implementations showcasing the TLS 1.3 certificate_authorities extension in ClientHello messages. The examples demonstrate how clients can indicate supported certificate authorities to guide server certificate selection.

  • Adds a complete TLS 1.3 server example that responds to certificate_authorities extensions
  • Adds a corresponding client example that sends certificate_authorities extensions
  • Implements dynamic certificate selection based on client-provided CA names

Reviewed Changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 3 comments.

File Description
tls/server-tls13-certauth-c2s.c Server implementation with certificate selection callback based on client CA names
tls/client-tls13-certauth-c2s.c Client implementation that sends certificate_authorities extension in ClientHello

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@mattia-moffa mattia-moffa force-pushed the 20250923-certauth-clienthello branch from ce02161 to fefad7d Compare September 25, 2025 14:23
@mattia-moffa mattia-moffa force-pushed the 20250923-certauth-clienthello branch from fefad7d to f4ecf7d Compare September 25, 2025 14:25
julek-wolfssl
julek-wolfssl requested changes Sep 25, 2025
View reviewed changes
Copy link
Member

@julek-wolfssl julek-wolfssl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Examples should be minimal pieces of code showcasing only a set of features. Comments about "bloat" refer to features that are not relevant to CA lists.

I ran the examples and everything looks to work.

@mattia-moffa
Copy link
Contributor Author

@julek-wolfssl That's not code written by me. I took client-tls13.c and server-tls13.c and modified them to showcase the new feature. I tried to follow the guideline in wolfssl-examples/tls/README.md that says:

In general, the naming convention of these files mean that if a file is named in the form X-Y.c, then it's a copy of X.c intended to demonstrate Y. The exceptions being server-tls.c and client-tls.c, as noted above. Furthermore, the files is formatted such that using a diff tool such as vimdiff to compare X-Y.c to X.c should highlight only the relevant changes required to convert X.c into X-Y.c

The changes you're suggesting are not on things that I added, they're also present in client-tls13.c and server-tls13.c.

@julek-wolfssl
Copy link
Member

Thanks for pointing that out. I still think that its better to remove these sections because we already have default secret callbacks in wolfssl so these callbacks are not necessary. Removing the callbacks cuts out ~80 lines from each example.

@mattia-moffa
Copy link
Contributor Author

Alright. Should I do that on these new files only or on other files that do this too?

@julek-wolfssl
Copy link
Member

Only on new files for now. You can add a note to the README if you want to be extra thoughtful.

julek-wolfssl
julek-wolfssl previously approved these changes Sep 26, 2025
View reviewed changes
dgarske
dgarske requested changes Oct 2, 2025
View reviewed changes
@mattia-moffa mattia-moffa removed their assignment Oct 6, 2025
@mattia-moffa mattia-moffa requested a review from dgarske October 6, 2025 13:43
dgarske
dgarske requested changes Oct 6, 2025
View reviewed changes
@mattia-moffa mattia-moffa removed their assignment Oct 6, 2025
@mattia-moffa mattia-moffa requested a review from dgarske October 6, 2025 16:17
@dgarske dgarske merged commit 75a4312 into wolfSSL:master Oct 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@dgarske dgarske dgarske approved these changes

@julek-wolfssl julek-wolfssl julek-wolfssl left review comments

Assignees

@wolfSSL-Bot wolfSSL-Bot

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mattia-moffa @julek-wolfssl @dgarske @wolfSSL-Bot