Indeed I just checked BoringSSL's source and it calls cert_cb before
resuming the session. Inviting David Benjamin into this conversation.


Do you have any insights or motivation to share with us? The way BoringSSL
handles session resumption + cert_cb is a correct one in my opinion, and
I'm trying to persuade everyone here in this too :)

Thank you,

On Sat, Dec 10, 2016 at 2:35 PM, Alessandro Ghedini <>

> On Sat, Dec 10, 2016 at 11:13:48AM +0100, Fedor Indutny wrote:
> > This totally makes sense. Unfortunately, adding a new API method for this
> > means that I'll have to re-introduce ClientHello parser in bud, and make
> a
> > wider use of it in Node.js again.
> FWIW, BoringSSL offers an early callback that is passed a semi-parsed CH,
> and
> an API to extract specific extensions from it (though this returns the raw
> unparsed extension body). Something similar could be adopted for OpenSSL.
> Whether this should be called in the CH post process phase (immediately
> before
> cert_cb) or much earlier (like BoringSSL) is likely to affect the
> implementation
> though (e.g. I'm not sure if the CH buffer is still available in the post
> process).
> Might be worth noting that BoringSSL changed the CH processing recently, by
> moving the session resumption logic after cert_cb, which means cert_cb is
> now
> called every time, but without a SSL_SESSION being available. So calling
> the
> cert_cb unconditionally is not unheard of.
> Cheers
> --
> openssl-dev mailing list
> To unsubscribe:
openssl-dev mailing list
To unsubscribe:

Reply via email to