[openssl-dev] cert_cb and TLS tickets
Fedor Indutny
fedor at indutny.com
Fri Dec 9 22:41:04 UTC 2016
Oh, just to restate it. I'm willing to submit the patch if we agree on what
exactly it should do.
On Fri, Dec 9, 2016 at 11:29 PM, Fedor Indutny <fedor at indutny.com> wrote:
> Hello Benjamin,
>
> On Fri, Dec 9, 2016 at 11:24 PM, Benjamin Kaduk <bkaduk at akamai.com> wrote:
>
>> On 12/09/2016 01:43 PM, Fedor Indutny wrote:
>>
>> Hello,
>>
>> During development of one feature for my TLS proxy bud, I have discovered
>> that the cert_cb is invoked only for newly generated tickets/sessions. The
>> reasoning behind this is clear, but I believe that it is most likely needs
>> a revision. Here is my reasoning:
>>
>> The major use case is choosing a certificate/private key either
>> dynamically (based on various parameters of SSL structure) or
>> asynchronously (by using SSL_ERROR_WANT_X509_LOOKUP). However when the
>> TLS ticket is provided by the client, it will be parsed and loaded using
>> the ticket key from the main context, without giving a way for application
>> to override it for particular servername (from SNI). Furthermore, with the
>> TLS ticket provided application can no longer chose to provide a different
>> certificate in case of expiration or revocation.
>>
>>
>> If you had a callback that ran before session resumption (possibly the
>> existing SNI callback, possibly a new callback), would that allow you to
>> solve your problem? I would very much like to see such an early callback
>> so as to be able to do SNI processing before resumption, possibly even
>> before version negotiation. (And yes, I should put my money where my mouth
>> is and come up with a patch.)
>>
>
> That's exactly what I am asking for. Putting it before session resumption
> will be enough for my use case, though.
>
> Thank you,
> Fedor.
>
>
>>
>> -Ben
>>
>> --
>> openssl-dev mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20161209/c3658e6a/attachment.html>
More information about the openssl-dev
mailing list