sm: include Inband-Security-Id in CEA when TLS upgrade accepted#246
Closed
tridentsx wants to merge 1 commit into
Closed
sm: include Inband-Security-Id in CEA when TLS upgrade accepted#246tridentsx wants to merge 1 commit into
tridentsx wants to merge 1 commit into
Conversation
When the server accepts Inband-Security-Id=1 from a CER and has TLSConfig set, echo the AVP in the success CEA. Without this, the initiating peer cannot know TLS was accepted and disconnects before the TLS handshake begins. Fixes fiorix#245
Owner
|
Closing — the post-CER/CEA TLS upgrade feature this builds on (#243) was reverted in #244 per @vingarzan's RFC 6733 §5.6 / §6.10 feedback on #238. The pre-existing TLS-on-listen path (TLS handshake before any Diameter messages) remains the spec-compliant approach. If a legitimate need for in-band TLS negotiation surfaces, please discuss on #238 first. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When the server accepts
Inband-Security-Id=1from a CER and hasTLSConfigset, echo the AVP in the success CEA. Without this, the initiating peer cannot know TLS was accepted and disconnects before the TLS handshake begins.Per RFC 3588 §6.2, the CEA must contain the negotiated
Inband-Security-Idso both peers agree on whether to proceed with TLS.Fixes #245