> On 13 Jan 2017, at 16:35, Christian Heimes <christ...@cheimes.de> wrote:
>
> How would this work for OpenSSL? In OpenSSL the SNI callback replaces
> the SSL_CTX of a SSL socket pointer with another SSL_CTX. The new
> SSL_CTX takes care of cipher negotiation, certs and other handshake
> details. The SSL_CTX should be reused in order to benefit from cached
> certs, HSM stuff and cached sessions. OpenSSL binds sessions to SSL_CTX
> instances.
>
> A callback looks more like this:
>
> contexts = {
> 'www.example.org': SSLContext(cert1, key1),
> 'internal.example.com': SSLContext(cert2, key2),
> }
>
> def sni_callback(sock, hostname):
> sock.context = contexts[hostname]
If the goal is to keep those contexts static, the best thing to do is to cache
the context based on the configuration. Because configurations should be static
they should be hashable, which would mean that the ServerContext can keep an
internal dictionary of {configuration: SSLContext}. When the new configuration
is returned, it can simply pull the context out of the cache as needed.
Cory
_______________________________________________
Security-SIG mailing list
Security-SIG@python.org
https://mail.python.org/mailman/listinfo/security-sig
