[openssl-dev] Pausing TLS negotiation after client hello
Susan Hinrichs
shinrich at ieee.org
Fri Jan 23 22:20:06 UTC 2015
Hello All,
I work with Apache Traffic Server. Many of our users use the SNI
callback to select the certificate that the proxy will present to the
client. This selection can take some time. Rather than blocking the
callback thread, we would like to pause the negotiation from the SNI
callback. After the certificate has been selected, SSL_accept can be
called again to continue the processing.
Looking at documentation and code, I did not see a way to do this, so I
created a small patch on 1.0.1f. I'll say a few words about the patch
below.
But first, is there another way to achieve this in the existing 1.0.x
API or the proposed 1.1 API?
If not, is there broader interest in such an addition? The users within
the Apache Traffic Server community would like to be able to use an
un-patched openssl library.
My patch is at
https://issues.apache.org/jira/secure/attachment/12662757/openssl-sni.patch
It adds SSL_TLSEXT_ERR_READ_AGAIN as another return value option for the
SNI callback. On this return value, openssl stops the negotiation and
marks the message to be reused. It does not signal an error to the
client. The next time SSL_accept is called, the client hello message is
processed again, and if the SNI callback returns the SSL_TLSEXT_ERR_OK,
the negotiation will continue.
Thanks for your attention,
Susan Hinrichs
More information about the openssl-dev
mailing list