Gervase Markham wrote:

As most of you will know, supporting it in Apache requires changes to
OpenSSL (which we funded, and which went into version 0.9.8f) and to the
httpd itself.
I am certainly not one of those  "most". I am not aware about
external funding for the pieces mentioned in the
CHANGES files in the dev 0.9.9 branch of openssl.

*) Add initial support for TLS extensions, specifically for the server_name extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now
    have new members for a host name.  The SSL data structure has an
    additional member SSL_CTX *initial_ctx so that new sessions can be
    stored in that context to allow for session resumption, even after the
    SSL has been switched to a new SSL_CTX in reaction to a client's
    server_name extension.

    New functions (subject to change):

        SSL_get_servername()
        SSL_get_servername_type()
        SSL_set_SSL_CTX()

    New CTRL codes and macros (subject to change):

        SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
                                - SSL_CTX_set_tlsext_servername_callback()
        SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG
                                     - SSL_CTX_set_tlsext_servername_arg()
        SSL_CTRL_SET_TLSEXT_HOSTNAME           - SSL_set_tlsext_host_name()

    openssl s_client has a new '-servername ...' option.

    openssl s_server has new options '-servername_host ...', '-cert2 ...',
    '-key2 ...', '-servername_fatal' (subject to change).  This allows
    testing the HostName extension for a specific single host name ('-cert'
    and '-key' remain fallbacks for handshakes without HostName
    negotiation).  If the unrecogninzed_name alert has to be sent, this by
    default is a warning; it becomes fatal with the '-servername_fatal'
    option.

    [Peter Sylvester,  Remy Allais, Christophe Renou]


Reply via email to