[openssl-users] ALPN and SSL_set_SSL_CTX

[Christophe Truc]

 Hi!

My application server can receive 2 types of incoming connections, either
from user requests (such as Firefox) or from a proprietary client for which
the HTTP requests are controlled. I want to enforce client verification for
the proprietary client connections, not for the user requests.
Unfortunately, I have very few possibilities for determining the connection
type, everybody connect on the same TCP port.

Because I control the proprietary client connections, I tries using the
ALPN extension. In this case, my application server can detect the ALPN
extension and enforce the client verification. In order to implement this,
I tried using SSL_set_SSL_CTX in the ALPN callback. Because this function
does not seem to copy the verify_mode flag, I also applied SSL_set_verify
and SSL_set_verify_depth on the SSL handle.

The client certificate is requested and verified but OpenSSL then fails
with an internal error. I managed to make it work with the same mechanism
applied to SNI. My questions are:
   - Is it expected to have the error when using the ALPN callback? i had
the feeling that it would be more appropriate to use this extension in this
case.
   - Is it valid to use SNI this way? The registered server_name is an
ASCII keyword used to detect the inbound request type, not a real server
name.

Thank you,
Chris.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180417/fc74d67d/attachment-0001.html>