[openssl-dev] Pausing TLS negotiation after client hello
Dr. Stephen Henson
steve at openssl.org
Fri Jan 23 23:16:04 UTC 2015
On Fri, Jan 23, 2015, Susan Hinrichs wrote:
> Hello All,
>
> I work with Apache Traffic Server. Many of our users use the SNI
> callback to select the certificate that the proxy will present to
> the client. This selection can take some time. Rather than
> blocking the callback thread, we would like to pause the negotiation
> from the SNI callback. After the certificate has been selected,
> SSL_accept can be called again to continue the processing.
>
> Looking at documentation and code, I did not see a way to do this,
> so I created a small patch on 1.0.1f. I'll say a few words about
> the patch below.
>
> But first, is there another way to achieve this in the existing
> 1.0.x API or the proposed 1.1 API?
>
OpenSSL 1.0.2 has a certificate callback which can be used for both client
and server certificates. It also supports non-blocking I/O so you can
"pause" in the manner you describe.
See:
https://www.openssl.org/docs/ssl/SSL_CTX_set_cert_cb.html
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-dev
mailing list