Hi Dave, On Wed, Dec 02, 2015 at 07:17:36PM +0000, Dave Zhu (yanbzhu) wrote: > Hello all, > > I¹ve written up Willy and Emeric¹s proposal and it seems to test fine, at > least from a functionality standpoint.
Thanks a lot for doing this work! > I would appreciate it if interested parties would beat on this harder than > I did to work out kinks. I'll have to study it with Emeric. > To recap for those that are new: > > You can now specify <path_to_cert> as a crt or a crt-list entry, but > <path_to_cert> will not actually exist. Instead, there will be > <path_to_cert>.rsa, <path_to_cert>.ecdsa and/or <path_to_cert>.dsa. The > code will load what¹s available and create (up to) 7 unique SSL_CTX with > the correct sets of keys and certs. It then adds these to the SNI lookup > tree, and sets a default context if one has not been set. > > A couple of things to note: > > 1) The default context will be set to the SSL_CTX that contains the set of > most oftenly used key formats. So currently, it will prefer contexts that > contain RSA, ECDSA then DSA in that order. SSL_CTX¹s with more key types > will be preferred over SSL_CTX¹s with fewer key types. I didn't understand what you meant with this last sentence, it sounds like there could be multiple default contexts which are more or less randomly chosen so that confuses me. > 2) The code for processing the CN/SAN¹s is quite complex. I¹ve added as > many comments as I thought was needed, but it still is not simple to read. > The logic though is simple: > > - Load info of each crt entry. > - Iterate through all CN/SAN entries and map each entry to which key types > contain it > - Iterate through list of entries to create the requisite SSL_CTX¹s and > add the SSL_CTX to the sni_tree based on the current CN/SAN > > Time to process is O(N) where N=# of CN/SANs. OK thanks for explaining. Anyway I don't see how you could do less than O(N) if you have to register N names, so that sounds fine. > In the interest of not clogging up everyone¹s inboxes, I¹ve put the > patches on pastebin, let me know if that works. > > Patch 1 - http://pastebin.com/B9KXnEZN > Patch 2 - http://pastebin.com/qFXq2Pbe > Patch 3 - http://pastebin.com/F9Y1N2YN You should have posted them here, it's more convenient for everyone to review and respond. Don't worry for people's mailboxes, those who don't want to receive patches nor spams don't subscribe. And these patches are not *that* big anyway. Thanks! Willy
