1

I am not getting any SCTs when using OpenSSL. After setting up the SSL connection, I'm calling

SSL_enable_ct(ssl, SSL_CT_VALIDATION_PERMISSIVE);
const STACK_OF(SCT) *sct_stack = sk_SCT_new_null();
sct_stack = SSL_get0_peer_scts(ssl);
printf("%i SCTs obtained.\n", sk_SCT_num(sct_stack));

And it always prints out that I obtained 0 SCTs, regardless of the domain that I connect to. The thing is, the connection is being setup correctly, because I can grab the X509 certificate for any domain I connect to, and I can send OCSP requests and obtain responses to those requests. But when I try to grab the SCTs that should be sent, my code always informs me that there were no SCTs.

I have a strong feeling that it is my code that isn't working, because even when I connect to one of google's websites, such as google.com or gmail.com, I am unable to obtain any SCTs from the connection, despite the fact that Google pioneered certificate transparency.

jww
  • 97,681
  • 90
  • 411
  • 885
Brian Hogan
  • 11
  • 1
  • I think `SSL_enable_ct()` must be called *before* a connection is made – Matt Caswell Feb 22 '18 at 15:52
  • I'm not very familiar with how SSL connections work, but I will try calling it before the connection is made – Brian Hogan Feb 23 '18 at 04:19
  • `grep -IR SSL_get0_peer_scts` in the OpenSSL sources shows several hits including `apps/s_client.c: const STACK_OF(SCT) *scts = SSL_get0_peer_scts(s);`. Maybe you can verify the same behavior from `s_client`, and then look at the `s_client` code at [`/apps/s_client.c`](https://github.com/openssl/openssl/blob/master/apps/s_client.c). The call to `SSL_ct_is_enabled(ssl)` looks kind of interesting to me. The comments about the anonymous session also look interesting. – jww Feb 23 '18 at 14:56

0 Answers0