On 12/09/2016 01:43 PM, Fedor Indutny wrote: > Hello, > > During development of one feature for my TLS proxy bud, I have > discovered that the cert_cb is invoked only for newly generated > tickets/sessions. The reasoning behind this is clear, but I believe > that it is most likely needs a revision. Here is my reasoning: > > The major use case is choosing a certificate/private key either > dynamically (based on various parameters of SSL structure) or > asynchronously (by using SSL_ERROR_WANT_X509_LOOKUP). However when the > TLS ticket is provided by the client, it will be parsed and loaded > using the ticket key from the main context, without giving a way for > application to override it for particular servername (from SNI). > Furthermore, with the TLS ticket provided application can no longer > chose to provide a different certificate in case of expiration or > revocation. >
If you had a callback that ran before session resumption (possibly the existing SNI callback, possibly a new callback), would that allow you to solve your problem? I would very much like to see such an early callback so as to be able to do SNI processing before resumption, possibly even before version negotiation. (And yes, I should put my money where my mouth is and come up with a patch.) -Ben
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
