Wednesday, December 11, 2013, 10:43:21 PM, you wrote: > Certificate selection (mostly) happens in ssl_servername_callback(), see > <https://github.com/apache/trafficserver/blob/master/iocore/net/SSLUtils.cc#L162>. > Ideally, this would be plumbed through to the plugin API, but the > synchronous API model is not a great fit for that.
There is also selection based on IP address which happens earlier. I looked at that callback and did not make it available through my prospective API precisely for that reason. I personally think it's a fault in the openSSL API, as it should be very possible to make that asynchronous by having the callback return an "I'm not done yet" value and openSSL calling it again on the next SSL_read call. But fixing would involve tweaking openSSL.
