Oh, just to restate it. I'm willing to submit the patch if we agree on what exactly it should do.
On Fri, Dec 9, 2016 at 11:29 PM, Fedor Indutny <fe...@indutny.com> wrote: > Hello Benjamin, > > On Fri, Dec 9, 2016 at 11:24 PM, Benjamin Kaduk <bka...@akamai.com> wrote: > >> On 12/09/2016 01:43 PM, Fedor Indutny wrote: >> >> Hello, >> >> During development of one feature for my TLS proxy bud, I have discovered >> that the cert_cb is invoked only for newly generated tickets/sessions. The >> reasoning behind this is clear, but I believe that it is most likely needs >> a revision. Here is my reasoning: >> >> The major use case is choosing a certificate/private key either >> dynamically (based on various parameters of SSL structure) or >> asynchronously (by using SSL_ERROR_WANT_X509_LOOKUP). However when the >> TLS ticket is provided by the client, it will be parsed and loaded using >> the ticket key from the main context, without giving a way for application >> to override it for particular servername (from SNI). Furthermore, with the >> TLS ticket provided application can no longer chose to provide a different >> certificate in case of expiration or revocation. >> >> >> If you had a callback that ran before session resumption (possibly the >> existing SNI callback, possibly a new callback), would that allow you to >> solve your problem? I would very much like to see such an early callback >> so as to be able to do SNI processing before resumption, possibly even >> before version negotiation. (And yes, I should put my money where my mouth >> is and come up with a patch.) >> > > That's exactly what I am asking for. Putting it before session resumption > will be enough for my use case, though. > > Thank you, > Fedor. > > >> >> -Ben >> >> -- >> openssl-dev mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev >> >> >
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
