[openssl-dev] cert_cb and TLS tickets
Benjamin Kaduk
bkaduk at akamai.com
Fri Dec 9 22:24:41 UTC 2016
On 12/09/2016 01:43 PM, Fedor Indutny wrote:
> Hello,
>
> During development of one feature for my TLS proxy bud, I have
> discovered that the cert_cb is invoked only for newly generated
> tickets/sessions. The reasoning behind this is clear, but I believe
> that it is most likely needs a revision. Here is my reasoning:
>
> The major use case is choosing a certificate/private key either
> dynamically (based on various parameters of SSL structure) or
> asynchronously (by using SSL_ERROR_WANT_X509_LOOKUP). However when the
> TLS ticket is provided by the client, it will be parsed and loaded
> using the ticket key from the main context, without giving a way for
> application to override it for particular servername (from SNI).
> Furthermore, with the TLS ticket provided application can no longer
> chose to provide a different certificate in case of expiration or
> revocation.
>
If you had a callback that ran before session resumption (possibly the
existing SNI callback, possibly a new callback), would that allow you to
solve your problem? I would very much like to see such an early
callback so as to be able to do SNI processing before resumption,
possibly even before version negotiation. (And yes, I should put my
money where my mouth is and come up with a patch.)
-Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20161209/f08856db/attachment.html>
More information about the openssl-dev
mailing list