configuring callbacks (or not) and SNI vs not... no shared cipher from server end

Viktor Dukhovni openssl-users at
Wed May 8 21:53:36 UTC 2019

On Wed, May 08, 2019 at 04:40:07PM -0400, Michael Richardson wrote:

>     > You can interpose a secondary "virtual-host-specific" SSL_CTX for for
>     > the rest of the handshake.  This carries the server certificate, but
>     > also the trust store settings for validating client certificates, the
>     > settings to request (or not) client certificates, the verification
>     > callbacks, ...  It is a rather heavyweight object, best cached and
>     > re-used for multiple connections.
> So, it's okay to change the SSL_CTX for an SSL* after creation.
> That is rather surprising to me, but I guess it's okay.
> I suppose I feel that there ought to be reference counts, but this is C, not Rust.

It is not that sort of change "change", there's a call to insert a
an additional CTX that interposes between the SSL handle and its
parent context for most of the relevant data and function pointers.
The SSL handle is still ultimately tied to the same parent context.

>     > In Postfix, it is configured with the same settings as the initial
>     > SSL_CTX, *but* no server certificates.  During the SNI callback I
>     > interpose the certificate-less context, and then set the certificate
>     > chain on the connection handle (SSL *) instead.
> okay, I'll use Postfix as my reference :-)

Fine by me. :-)


More information about the openssl-users mailing list