Re: configuring callbacks (or not) and SNI vs not... no shared cipher from server end

2019-05-08 Thread Viktor Dukhovni
On Wed, May 08, 2019 at 05:23:38PM -0500, Benjamin Kaduk via openssl-users wrote: > > > In Postfix, it is configured with the same settings as the initial > > > SSL_CTX, *but* no server certificates. During the SNI callback I > > > interpose the certificate-less context, and then

Re: configuring callbacks (or not) and SNI vs not... no shared cipher from server end

2019-05-08 Thread Benjamin Kaduk via openssl-users
On Wed, May 08, 2019 at 04:40:07PM -0400, Michael Richardson wrote: > > Viktor Dukhovni wrote: > >> Diversionary issue: > >> > https://www.openssl.org/docs/manmaster/man3/SSL_set_tlsext_host_name.html > >> and: > >> >

Re: configuring callbacks (or not) and SNI vs not... no shared cipher from server end

2019-05-08 Thread Viktor Dukhovni
On Wed, May 08, 2019 at 04:40:07PM -0400, Michael Richardson wrote: > > You can interpose a secondary "virtual-host-specific" SSL_CTX for for > > the rest of the handshake. This carries the server certificate, but > > also the trust store settings for validating client certificates,

Re: configuring callbacks (or not) and SNI vs not... no shared cipher from server end

2019-05-08 Thread Michael Richardson
Viktor Dukhovni wrote: >> Diversionary issue: >> https://www.openssl.org/docs/manmaster/man3/SSL_set_tlsext_host_name.html >> and: >> https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_client_hello_cb.html >> >> are pretty vague. I think that

Re: configuring callbacks (or not) and SNI vs not... no shared cipher from server end

2019-05-08 Thread Viktor Dukhovni
> On May 8, 2019, at 4:23 PM, Michael Richardson wrote: > > My questions about the documentation of the callbacks remain. > Having solved the problem, I'm pretty certain the the "no shared cipher" > error message is way too overloaded. It sounds like you failed to load a matching key pair into

Re: configuring callbacks (or not) and SNI vs not... no shared cipher from server end

2019-05-08 Thread Michael Richardson
My questions about the documentation of the callbacks remain. Having solved the problem, I'm pretty certain the the "no shared cipher" error message is way too overloaded. Some piece of code is clearly doing something useful, which is to check if the public/private key match. Unfortunately,

Re: configuring callbacks (or not) and SNI vs not... no shared cipher from server end

2019-05-08 Thread Viktor Dukhovni
On Wed, May 08, 2019 at 02:15:43PM -0400, Michael Richardson wrote: > Diversionary issue: > https://www.openssl.org/docs/manmaster/man3/SSL_set_tlsext_host_name.html > and: > https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_client_hello_cb.html > > are pretty vague. I think that

configuring callbacks (or not) and SNI vs not... no shared cipher from server end

2019-05-08 Thread Michael Richardson
Diversionary issue: https://www.openssl.org/docs/manmaster/man3/SSL_set_tlsext_host_name.html and: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_client_hello_cb.html are pretty vague. I think that SSL_set_tlsext_host_name() is probably intended to be used on the client to set