maskit commented on a change in pull request #8014:
URL: https://github.com/apache/trafficserver/pull/8014#discussion_r669232568
##########
File path: iocore/net/SSLUtils.cc
##########
@@ -430,13 +478,17 @@ ssl_cert_callback(SSL *ssl, void * /*arg*/)
// If we are in tunnel mode, don't select a cert. Pause!
if (HttpProxyPort::TRANSPORT_BLIND_TUNNEL == netvc->attributes) {
+#ifdef OPENSSL_IS_BORINGSSL
+ return -2; // Retry
Review comment:
Seems like there is not "pause" in BoringSSL. Maybe they just use
different terms.
OpenSSL
> The callback can then inspect the passed ssl structure and set or clear
any appropriate certificates. If the callback is successful it MUST return 1
even if no certificates have been set. A zero is returned on error which will
abort the handshake with a fatal internal error alert. A negative return value
will suspend the handshake and the handshake function will return immediately.
SSL_get_error(3) will return SSL_ERROR_WANT_X509_LOOKUP to indicate, that the
handshake was suspended. The next call to the handshake function will again
lead to the call of cert_cb(). It is the job of the cert_cb() to store
information about the state of the last call, if required to continue.
BoringSSL
```cpp
enum ssl_select_cert_result_t BORINGSSL_ENUM_INT {
// ssl_select_cert_success indicates that the certificate selection was
// successful.
ssl_select_cert_success = 1,
// ssl_select_cert_retry indicates that the operation could not be
// immediately completed and must be reattempted at a later point.
ssl_select_cert_retry = 0,
// ssl_select_cert_error indicates that a fatal error occured and the
// handshake should be terminated.
ssl_select_cert_error = -1,
};
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
