Alessandro, Indeed I just checked BoringSSL's source and it calls cert_cb before resuming the session. Inviting David Benjamin into this conversation.
David, Do you have any insights or motivation to share with us? The way BoringSSL handles session resumption + cert_cb is a correct one in my opinion, and I'm trying to persuade everyone here in this too :) Thank you, Fedor. On Sat, Dec 10, 2016 at 2:35 PM, Alessandro Ghedini <alessan...@ghedini.me> wrote: > On Sat, Dec 10, 2016 at 11:13:48AM +0100, Fedor Indutny wrote: > > This totally makes sense. Unfortunately, adding a new API method for this > > means that I'll have to re-introduce ClientHello parser in bud, and make > a > > wider use of it in Node.js again. > > FWIW, BoringSSL offers an early callback that is passed a semi-parsed CH, > and > an API to extract specific extensions from it (though this returns the raw > unparsed extension body). Something similar could be adopted for OpenSSL. > > Whether this should be called in the CH post process phase (immediately > before > cert_cb) or much earlier (like BoringSSL) is likely to affect the > implementation > though (e.g. I'm not sure if the CH buffer is still available in the post > process). > > Might be worth noting that BoringSSL changed the CH processing recently, by > moving the session resumption logic after cert_cb, which means cert_cb is > now > called every time, but without a SSL_SESSION being available. So calling > the > cert_cb unconditionally is not unheard of. > > Cheers > > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > >
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev