Dear OpenSSL developpers, I have put a version of openssl that supports the TLS servername extensioninto our web server. It is based on a openssl development snapshot of last week.
We have split of and simplified the code that was done together with SRP last year, an,d corrected known bugs.
See http://www.edelweb.fr/EdelKey/files/openssl-0.9.8+SERVERNAME.tar.gz see also http://www.edelweb.fr/EdelKey/ The snapshot was one day before the 0.9.8a announcement, I think it contains the recent vulerability patch. I invite the core developers to take a look on it: basically s_client and s_server have been slighlty enhanced and in "ssl" there the modules that have OPENSSL_NO_TLSEXT contain the new functionality.In the s23_lib.c it is possible to have anounce a TLS extension and to "ignore it" on the server side as with s3_lib.
There is one functionality which is not necessary to support the servername extension, but only to allow a renegotiation of a session using another servername, e;g. when a web server received a "Host: " This is not yet fully tested, and I am not sure whether the implemenation is good. The idea is to switch the ssl->ctx point to another context. The reference counting for the ctx is simple, but during an SSL_new there is some data "cached" down into the SSL, and, in particular the interesting one, the server's certificate. It may not be necessary to switch the actual CTX, but rather change the SSL to cache from the "other" CTX. regards and thanks for looking at it; sorry for the lengthly message. Peter Cesc wrote:
Hi,While discussing the proper implementation for TLS support for (open)ser SIP proxy (currently using OpenSSL), we came up with somehow a showstopper: when the server serves multiple domains, we'd like to present a different certificate depending on which domain the incoming message is directed to. The option of using a different port per domain is an option, but not the best one. So, my question is, does openssl implement TLS extensions, as defined in RFC 3546, specially section "3.1 - server name identification"? This way, the tls client establishing the tls connection could announce the proxy it is connecting to, thus solving all the multi-domain problems.We heard that it is there in gnutls, what about openssl?And, now that i started, what TLS Extensions does openssl support? Regards, Cesc
--To verify the signature, see http://edelpki.edelweb.fr/ Cela vous permet de charger le certificat de l'autorité; die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.
smime.p7s
Description: S/MIME Cryptographic Signature