> On 13 Jan 2017, at 16:35, Christian Heimes <christ...@cheimes.de> wrote:
> How would this work for OpenSSL? In OpenSSL the SNI callback replaces
> the SSL_CTX of a SSL socket pointer with another SSL_CTX. The new
> SSL_CTX takes care of cipher negotiation, certs and other handshake
> details. The SSL_CTX should be reused in order to benefit from cached
> certs, HSM stuff and cached sessions. OpenSSL binds sessions to SSL_CTX
> instances.
> A callback looks more like this:
> contexts = {
>    'www.example.org': SSLContext(cert1, key1),
>    'internal.example.com': SSLContext(cert2, key2),
> }
> def sni_callback(sock, hostname):
>    sock.context = contexts[hostname]

If the goal is to keep those contexts static, the best thing to do is to cache 
the context based on the configuration. Because configurations should be static 
they should be hashable, which would mean that the ServerContext can keep an 
internal dictionary of {configuration: SSLContext}. When the new configuration 
is returned, it can simply pull the context out of the cache as needed.

Security-SIG mailing list

Reply via email to