[openssl-users] ALPN and SSL_set_SSL_CTX
ct06fr at gmail.com
Tue Apr 17 12:30:17 UTC 2018
My application server can receive 2 types of incoming connections, either
from user requests (such as Firefox) or from a proprietary client for which
the HTTP requests are controlled. I want to enforce client verification for
the proprietary client connections, not for the user requests.
Unfortunately, I have very few possibilities for determining the connection
type, everybody connect on the same TCP port.
Because I control the proprietary client connections, I tries using the
ALPN extension. In this case, my application server can detect the ALPN
extension and enforce the client verification. In order to implement this,
I tried using SSL_set_SSL_CTX in the ALPN callback. Because this function
does not seem to copy the verify_mode flag, I also applied SSL_set_verify
and SSL_set_verify_depth on the SSL handle.
The client certificate is requested and verified but OpenSSL then fails
with an internal error. I managed to make it work with the same mechanism
applied to SNI. My questions are:
- Is it expected to have the error when using the ALPN callback? i had
the feeling that it would be more appropriate to use this extension in this
- Is it valid to use SNI this way? The registered server_name is an
ASCII keyword used to detect the inbound request type, not a real server
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openssl-users