On Fri, Dec 09, 2016 at 08:43:01PM +0100, Fedor Indutny wrote: > During development of one feature for my TLS proxy bud, I have discovered > that the cert_cb is invoked only for newly generated tickets/sessions. The > reasoning behind this is clear, but I believe that it is most likely needs > a revision. Here is my reasoning:
The callback is *correctly* only called when choosing the server certificate. In *that* case, it is always called. When sessions are resumed, there is no certificate to present, so no callback is made. > Furthermore, with the TLS ticket provided > application can no longer chose to provide a different certificate in case > of expiration or revocation. You can implement a ticket key callback that when appropriate, will decline tickets under suitable conditions, in which case a full handshake will be performed. Custom ticket callbacks that do session ticket key rotation are a good idea in any case, the default tickets are not rotated, which is not apppropriate for long-running processes. -- Viktor. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev