On Sat, Dec 10, 2016 at 11:13:48AM +0100, Fedor Indutny wrote: > This totally makes sense. Unfortunately, adding a new API method for this > means that I'll have to re-introduce ClientHello parser in bud, and make a > wider use of it in Node.js again.
FWIW, BoringSSL offers an early callback that is passed a semi-parsed CH, and an API to extract specific extensions from it (though this returns the raw unparsed extension body). Something similar could be adopted for OpenSSL. Whether this should be called in the CH post process phase (immediately before cert_cb) or much earlier (like BoringSSL) is likely to affect the implementation though (e.g. I'm not sure if the CH buffer is still available in the post process). Might be worth noting that BoringSSL changed the CH processing recently, by moving the session resumption logic after cert_cb, which means cert_cb is now called every time, but without a SSL_SESSION being available. So calling the cert_cb unconditionally is not unheard of. Cheers
signature.asc
Description: PGP signature
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
