link on openssl 1.1.1 API doc: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_early_cb.html
NOTES […] "It is also recommended that applications utilize an early callback and not use a servername callback, in order to avoid unexpected behavior that occurs due to the relative order of processing between things like session resumption and the historical servername callback." > Le 4 sept. 2017 à 16:39, Emmanuel Hocdet <m...@gandi.net> a écrit : > > Hi Emeric, Christopher > > If you can review when you have time. (3) for Christopher. > > This patches allows to support native multicert selection (RSA/ECDSA) and > ssl-min-ver/ ssl-max-ver per certificat with openssl 1.1.1 (boringssl is the > only > one to support this until this patch). > > patches: > 1) Convert BoringSSL api call (CBS) to ssl-lib independent code. > This is the biggest part and only depend on BoringSSL build (until 2). > > 2) support openssl 1.1.1 early callback API. It mimic BoringSSL api, and this > is a good news (small patch). > Do we want to push code for openssl 1.1.1 (dev) in haproxy (dev) now? > > 3) Add generated certificate for early switch-ctx. > Historically this part has been skipped (no supported for boringssl). > There are now a ssl_sock_generate_certificate_from_conn func, but i don’t > understand how this take a real/generated cert. > Christopher, can you take a look? > > ++ > Manu > > > <0001-MEDIUM-ssl-convert-CBS-BoringSSL-api-usage-to-neutra.patch><0002-MINOR-ssl-support-Openssl-1.1.1-early-callback-for-s.patch><0003-MINOR-ssl-generated-certificate-is-missing-in-switch.patch> >