On Wed, Jun 17, 2015 at 8:21 AM, Stefan Eissing <[email protected]> wrote: > 1. connection, setup for base server and defaults > 2. client hello arrives > 3. ALPN callback is invoked by openssl > 4. ALPN protocol is chosen, this triggers the server answer > 5. SNI callback is invoked by openssl and sets up vhost info and configs > 6. Oops. > > Lacking the SNI name and vhost setups, the sendback in 4 seems to fallback to > the default vhost selection and that certificate is used to answer the call. > > The issue has been reported by me on the openssl dev list. As a workaround > for now and compatibility to older openssl versions, I propose to add to the > ALPN patch something that > a) checks in ALPN callback if vhost has been setup by SNI callback > b) if not, retrieves SNI servername via SSL_get_servername() > c) if servername is returned, setup vhost just like in SNI callback > d) if SNI callback is invoked and vhost has been setup already, nop > > Sounds reasonable?
Seems fair -- Eric Covener [email protected]
