Hello Benjamin,

On Fri, Dec 9, 2016 at 11:24 PM, Benjamin Kaduk <bka...@akamai.com> wrote:

> On 12/09/2016 01:43 PM, Fedor Indutny wrote:
> Hello,
> During development of one feature for my TLS proxy bud, I have discovered
> that the cert_cb is invoked only for newly generated tickets/sessions. The
> reasoning behind this is clear, but I believe that it is most likely needs
> a revision. Here is my reasoning:
> The major use case is choosing a certificate/private key either
> dynamically (based on various parameters of SSL structure) or
> asynchronously (by using SSL_ERROR_WANT_X509_LOOKUP). However when the
> TLS ticket is provided by the client, it will be parsed and loaded using
> the ticket key from the main context, without giving a way for application
> to override it for particular servername (from SNI). Furthermore, with the
> TLS ticket provided application can no longer chose to provide a different
> certificate in case of expiration or revocation.
> If you had a callback that ran before session resumption (possibly the
> existing SNI callback, possibly a new callback), would that allow you to
> solve your problem?  I would very much like to see such an early callback
> so as to be able to do SNI processing before resumption, possibly even
> before version negotiation.  (And yes, I should put my money where my mouth
> is and come up with a patch.)

That's exactly what I am asking for. Putting it before session resumption
will be enough for my use case, though.

Thank you,

> -Ben
> --
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to