[openssl-dev] cert_cb and TLS tickets
Alessandro Ghedini
alessandro at ghedini.me
Sat Dec 10 13:35:56 UTC 2016
On Sat, Dec 10, 2016 at 11:13:48AM +0100, Fedor Indutny wrote:
> This totally makes sense. Unfortunately, adding a new API method for this
> means that I'll have to re-introduce ClientHello parser in bud, and make a
> wider use of it in Node.js again.
FWIW, BoringSSL offers an early callback that is passed a semi-parsed CH, and
an API to extract specific extensions from it (though this returns the raw
unparsed extension body). Something similar could be adopted for OpenSSL.
Whether this should be called in the CH post process phase (immediately before
cert_cb) or much earlier (like BoringSSL) is likely to affect the implementation
though (e.g. I'm not sure if the CH buffer is still available in the post
process).
Might be worth noting that BoringSSL changed the CH processing recently, by
moving the session resumption logic after cert_cb, which means cert_cb is now
called every time, but without a SSL_SESSION being available. So calling the
cert_cb unconditionally is not unheard of.
Cheers
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20161210/234c4bf1/attachment.sig>
More information about the openssl-dev
mailing list