What do you mean by I have to register default certificates? There are no default certificates. Before I know what certificate should I show to the client, I have to connect to the server to get the certificate from it (and then copy it, sign it, etc.). But before connecting to the server I need the SNI from the client to be able to connect to the server with SNI, so the server will show the proper cert.
I can only set the certificate on the client side _after_ I got the sni, connected to the server(with the servername got from the client), got the certificate from the server, copied/signed/whatever and _then_ I can show this to the client. Do we misunderstand each other? Or am I only misunderstanding you? On Tue, May 27, 2014 at 2:46 PM, Viktor Dukhovni <openssl-us...@dukhovni.org > wrote: > On Tue, May 27, 2014 at 12:03:05PM +0200, DEXTER wrote: > > That is exactly what I thought first, to control it with BIOs. > > Unfortunately even if I give openssl the exact amount of bytes (not more) > > to be able to call the SNI callback, right after I return from the > > callback, openssl's own state machine goes into a state where it'll > > immediately say the: No shared cipher error. (so I don't have time to set > > the certificate later). > > That is why I think an internal code change is needed in openssl itself, > to > > support this case. > > You need to register default certificates of each type (RSA, DSA, > ECDSA). Your SNI callback can switch to a fresh SSL_CTX with the > appropriate MITM chain. If you're not doing MITM, you can't > splice-in the server's chain anyway, since you don't have the > private keys. For non-MITM proxies you should not an SSL API, as > you're not terminating the SSL connection, just copying bytes back > and forth. You'll just need some custom code to parse the client > SSL HELLO and forward the connection accordingly. > > -- > Viktor. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >