I would think that this could be done by handling BIO communications yourself via memory BIOs, then sending the content of those BIOs over the network as appropriate. But, this does appear to be something that needs attention (given the reactive nature of SNI's specification long after the original API was developed).
Ironically, this issue appears to make it much easier to write an MITM proxy than an opaque CONNECT-method proxy. -Kyle H On Mon, May 26, 2014 at 2:03 AM, DEXTER <mydexte...@gmail.com> wrote: > Hi! > > In a proxying environment when the client connects to the proxy and it > sends the SNI, you have to suspend the handshake with the client side, > start the handshake on the serverside, get the certificate from the server, > and send that certificate back to the client. > This is only possible, if I can suspend the handshake procedure with the > client, and continue when I have the certificate from the server. > > Right now openssl has some callbacks like the info and msg callbacks but > you cannot return from it with let's say: SSL_HANDSHAKE_SUSPEND, or > SSL_HANDSHAKE_INTERRUPT or something like that to be able to continue it > later. So right now when you return from these and you don't have the > certificate set you'll get the: No shared cipher error. > > The question is that will there'be some kind of way to suspend and > continue the handshake? > Or is there any other way to do this now? > > Thank you. >
