[openssl-dev] Pausing TLS negotiation after client hello
Susan Hinrichs
shinrich at ieee.org
Sat Jan 24 00:16:42 UTC 2015
On 1/23/2015 5:16 PM, Dr. Stephen Henson wrote:
> On Fri, Jan 23, 2015, Susan Hinrichs wrote:
>
>> Hello All,
>>
>> I work with Apache Traffic Server. Many of our users use the SNI
>> callback to select the certificate that the proxy will present to
>> the client. This selection can take some time. Rather than
>> blocking the callback thread, we would like to pause the negotiation
>> from the SNI callback. After the certificate has been selected,
>> SSL_accept can be called again to continue the processing.
>>
>> Looking at documentation and code, I did not see a way to do this,
>> so I created a small patch on 1.0.1f. I'll say a few words about
>> the patch below.
>>
>> But first, is there another way to achieve this in the existing
>> 1.0.x API or the proposed 1.1 API?
>>
> OpenSSL 1.0.2 has a certificate callback which can be used for both client
> and server certificates. It also supports non-blocking I/O so you can
> "pause" in the manner you describe.
>
> See:
>
> https://www.openssl.org/docs/ssl/SSL_CTX_set_cert_cb.html
>
> Steve.
Splendid! That looks like exactly what we need. Thank you for the pointer.
Susan
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> _______________________________________________
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
More information about the openssl-dev
mailing list