[jira] [Commented] (TS-3319) Adapt to Openssl 1.0.2 Certificate Callback

Fri, 30 Jan 2015 12:12:56 -0800 

    [ 
https://issues.apache.org/jira/browse/TS-3319?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14299170#comment-14299170
 ] 

Susan Hinrichs commented on TS-3319:
------------------------------------

I updated things so only one callback will be executed after the client hello.  
We determined there was not functional value to the client by providing both a 
SNI callback and a cert callback.  Offering both just added to confusion and 
complexity.

If the version is 1.0.2 or better, we will set the cert_cb and launch the 
plugin TS_SSL_CERT_HOOK from there.

Otherwise, we will set the sni_callback and laundh the TS_SSL_CERT_HOOK from 
there.  If the patch constant is present, we will support the pause return 
option.

We should encourage people who need the pause functionality to move forward to 
openssl 1.0.2.

During testing, I noticed that the callbacks would not be called on resumption 
if the plugin has replaced the callback.  Rather than adding a method to set 
the ATS callbacks on the ctx context, I moved the logic to execute the 
remaining paused hooks to be run from the reenable method rather than waiting 
for the next execution of the sni/cert callback. 

Updated the documentation.

Tested against a patched 1.0.1 and 1.0.2 with two functions hooked and one 
pausing.  Executed the hooks in both orders.

> Adapt to Openssl 1.0.2 Certificate Callback
> -------------------------------------------
>
>                 Key: TS-3319
>                 URL: https://issues.apache.org/jira/browse/TS-3319
>             Project: Traffic Server
>          Issue Type: Improvement
>          Components: SSL
>            Reporter: Susan Hinrichs
>            Assignee: Susan Hinrichs
>             Fix For: 5.3.0
>
>
> With TS-3006, we provided a patch for openssl 1.0.1 to enable the SNI 
> callback to pause.
> With openssl 1.0.2 the client certificate callback is extended to work for 
> server certificate selection.  You can return values to pause the SSL 
> processing after the client hello here as well.
> The details are at 
> https://www.openssl.org/docs/ssl/SSL_CTX_set_cert_cb.html
> ATS should be extended to use the certificate callback mechanism if openssl 
> 1.0.2 is available.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to