<div dir="ltr">
<div><div><div><div><div><div><div>Hi!<br><br></div>My application
server can receive 2 types of incoming connections, either from user
requests (such as Firefox) or from a proprietary client for which the
HTTP requests are controlled. I want to enforce client verification for
the proprietary client connections, not for the user requests.
Unfortunately, I have very few possibilities for determining the
connection type, everybody connect on the same TCP port.<br><br></div>Because
I control the proprietary client connections, I tries using the ALPN
extension. In this case, my application server can detect the ALPN
extension and enforce the client verification. In order to implement
this, I tried using SSL_set_SSL_CTX in the ALPN callback. Because this
function does not seem to copy the verify_mode flag, I also applied
SSL_set_verify and SSL_set_verify_depth on the SSL handle.<br><br></div>The
client certificate is requested and verified but OpenSSL then fails
with an internal error. I managed to make it work with the same
mechanism applied to SNI. My questions are:<br></div> - Is it expected
to have the error when using the ALPN callback? i had the feeling that
it would be more appropriate to use this extension in this case.<br></div>
- Is it valid to use SNI this way? The registered server_name is an
ASCII keyword used to detect the inbound request type, not a real server
name.<br><br></div>Thank you,<br></div>Chris.<br>
<br></div>