(Resending from an address which is actually subscribed. Apologies if this
causes anyone to receive this twice.)
Here's the patch series which flipped it:
https://boringssl.googlesource.com/boringssl/+/4eb95ccfd64d46fad23f36238690594d02518467
https://boringssl.googlesource.com/boringssl/+/34202b93
Alessandro,
Indeed I just checked BoringSSL's source and it calls cert_cb before
resuming the session. Inviting David Benjamin into this conversation.
David,
Do you have any insights or motivation to share with us? The way BoringSSL
handles session resumption + cert_cb is a correct one in my opi
> Thank you for feedback, though!
Thanks for your expertise and continued interest in pushing OpenSSL into
new(er) areas!
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
On Sat, Dec 10, 2016 at 11:13:48AM +0100, Fedor Indutny wrote:
> This totally makes sense. Unfortunately, adding a new API method for this
> means that I'll have to re-introduce ClientHello parser in bud, and make a
> wider use of it in Node.js again.
FWIW, BoringSSL offers an early callback that
Thank you for feedback, though!
On Sat, Dec 10, 2016 at 11:13 AM, Fedor Indutny wrote:
> This totally makes sense. Unfortunately, adding a new API method for this
> means that I'll have to re-introduce ClientHello parser in bud, and make a
> wider use of it in Node.js again.
>
> On Sat, Dec 10,
This totally makes sense. Unfortunately, adding a new API method for this
means that I'll have to re-introduce ClientHello parser in bud, and make a
wider use of it in Node.js again.
On Sat, Dec 10, 2016 at 3:07 AM, Salz, Rich wrote:
> > Oh, just to restate it. I'm willing to submit the patch if
> Oh, just to restate it. I'm willing to submit the patch if we agree on what
> exactly it should do.
Might want to wait a bit. TLS 1.3 handshakes are a bit different.
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
What seems most sensible is to have a callback once the hello is parsed, allow
the callback to change almost anything it wants. I would be very disappointed
if we did something that was too specific to some special use cases.
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org
I was mostly under the impression that Matt Caswell was planning to add
a generic "early callback" that gets called just after extensions are
read but before they are processed, and was waiting to see what that
looked like and whether the same API could be reasonably backported to
1.1.0 (not necess
Oh, just to restate it. I'm willing to submit the patch if we agree on what
exactly it should do.
On Fri, Dec 9, 2016 at 11:29 PM, Fedor Indutny wrote:
> Hello Benjamin,
>
> On Fri, Dec 9, 2016 at 11:24 PM, Benjamin Kaduk wrote:
>
>> On 12/09/2016 01:43 PM, Fedor Indutny wrote:
>>
>> Hello,
>>
Hello Benjamin,
On Fri, Dec 9, 2016 at 11:24 PM, Benjamin Kaduk wrote:
> On 12/09/2016 01:43 PM, Fedor Indutny wrote:
>
> Hello,
>
> During development of one feature for my TLS proxy bud, I have discovered
> that the cert_cb is invoked only for newly generated tickets/sessions. The
> reasoning
On 12/09/2016 01:43 PM, Fedor Indutny wrote:
> Hello,
>
> During development of one feature for my TLS proxy bud, I have
> discovered that the cert_cb is invoked only for newly generated
> tickets/sessions. The reasoning behind this is clear, but I believe
> that it is most likely needs a revision.
On Fri, Dec 9, 2016 at 11:13 PM, Viktor Dukhovni wrote:
> On Fri, Dec 09, 2016 at 09:47:19PM +0100, Fedor Indutny wrote:
>
> > > The callback is *correctly* only called when choosing the server
> > > certificate. In *that* case, it is always called. When sessions
> > > are resumed, there is no
On Fri, Dec 09, 2016 at 09:47:19PM +0100, Fedor Indutny wrote:
> > The callback is *correctly* only called when choosing the server
> > certificate. In *that* case, it is always called. When sessions
> > are resumed, there is no certificate to present, so no callback is
> > made.
>
> That's why
Hello Viktor!
Replying inline.
On Fri, Dec 9, 2016 at 9:28 PM, Viktor Dukhovni
wrote:
> On Fri, Dec 09, 2016 at 08:43:01PM +0100, Fedor Indutny wrote:
>
> > During development of one feature for my TLS proxy bud, I have discovered
> > that the cert_cb is invoked only for newly generated tickets
On Fri, Dec 09, 2016 at 08:43:01PM +0100, Fedor Indutny wrote:
> During development of one feature for my TLS proxy bud, I have discovered
> that the cert_cb is invoked only for newly generated tickets/sessions. The
> reasoning behind this is clear, but I believe that it is most likely needs
> a r
Hello,
During development of one feature for my TLS proxy bud, I have discovered
that the cert_cb is invoked only for newly generated tickets/sessions. The
reasoning behind this is clear, but I believe that it is most likely needs
a revision. Here is my reasoning:
The major use case is choosing a
17 matches
Mail list logo