On Wed, May 08, 2019 at 05:23:38PM -0500, Benjamin Kaduk via openssl-users
wrote:
> > > In Postfix, it is configured with the same settings as the initial
> > > SSL_CTX, *but* no server certificates. During the SNI callback I
> > > interpose the certificate-less context, and then
On Wed, May 08, 2019 at 04:40:07PM -0400, Michael Richardson wrote:
>
> Viktor Dukhovni wrote:
> >> Diversionary issue:
> >>
> https://www.openssl.org/docs/manmaster/man3/SSL_set_tlsext_host_name.html
> >> and:
> >>
>
On Wed, May 08, 2019 at 04:40:07PM -0400, Michael Richardson wrote:
> > You can interpose a secondary "virtual-host-specific" SSL_CTX for for
> > the rest of the handshake. This carries the server certificate, but
> > also the trust store settings for validating client certificates,
Viktor Dukhovni wrote:
>> Diversionary issue:
>> https://www.openssl.org/docs/manmaster/man3/SSL_set_tlsext_host_name.html
>> and:
>>
https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_client_hello_cb.html
>>
>> are pretty vague. I think that
> On May 8, 2019, at 4:23 PM, Michael Richardson wrote:
>
> My questions about the documentation of the callbacks remain.
> Having solved the problem, I'm pretty certain the the "no shared cipher"
> error message is way too overloaded.
It sounds like you failed to load a matching key pair into
My questions about the documentation of the callbacks remain.
Having solved the problem, I'm pretty certain the the "no shared cipher"
error message is way too overloaded.
Some piece of code is clearly doing something useful, which is to check if
the public/private key match. Unfortunately,
On Wed, May 08, 2019 at 02:15:43PM -0400, Michael Richardson wrote:
> Diversionary issue:
> https://www.openssl.org/docs/manmaster/man3/SSL_set_tlsext_host_name.html
> and:
> https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_client_hello_cb.html
>
> are pretty vague. I think that
Diversionary issue:
https://www.openssl.org/docs/manmaster/man3/SSL_set_tlsext_host_name.html
and:
https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_client_hello_cb.html
are pretty vague. I think that SSL_set_tlsext_host_name() is probably
intended to be used on the client to set