On 2017-01-13 17:37, Cory Benfield wrote:
>
>> On 13 Jan 2017, at 16:35, Christian Heimes <christ...@cheimes.de> wrote:
>>
>> How would this work for OpenSSL? In OpenSSL the SNI callback replaces
>> the SSL_CTX of a SSL socket pointer with another SSL_CTX. The new
>> SSL_CTX takes care of cipher negotiation, certs and other handshake
>> details. The SSL_CTX should be reused in order to benefit from cached
>> certs, HSM stuff and cached sessions. OpenSSL binds sessions to SSL_CTX
>> instances.
>>
>> A callback looks more like this:
>>
>> contexts = {
>> 'www.example.org': SSLContext(cert1, key1),
>> 'internal.example.com': SSLContext(cert2, key2),
>> }
>>
>> def sni_callback(sock, hostname):
>> sock.context = contexts[hostname]
>
> If the goal is to keep those contexts static, the best thing to do is to
> cache the context based on the configuration. Because configurations should
> be static they should be hashable, which would mean that the ServerContext
> can keep an internal dictionary of {configuration: SSLContext}. When the new
> configuration is returned, it can simply pull the context out of the cache as
> needed.
You lost me and I'm tired. My brain is no longer able to follow. I'm
calling it a day. A working example or PoC might help to understand your
point... :)
Christian
_______________________________________________
Security-SIG mailing list
Security-SIG@python.org
https://mail.python.org/mailman/listinfo/security-sig
