On Tue, May 27, 2014 at 05:28:31PM +0200, DEXTER wrote:
> On Tue, May 27, 2014 at 5:09 PM, Viktor Dukhovni <openssl-us...@dukhovni.org
> > wrote:
>
> > On Tue, May 27, 2014 at 04:57:39PM +0200, DEXTER wrote:
> >
> > > Not now. Right now I'm sort of hacking the connection. I mean, I store
> > > the client's data in a temp buffer, and when I got back to the client to
> > > continue the handshake with it, I threw away the original ssl connection,
> > > create a new one, and feed it from the temp buffer. But it is really a
> > > hacking and my state machine becomes very complicated because of this.
Well, replaying the client HELLO with a new SSL handle once you
have the server certificate in hand is not so terrible. My comment
about "you're doing it wrong" was meant to be about returning from
the SNI callback and trying to use the original SSL state.
Since SNI is sent in the original client HELLO, it is quite reasonable
to store the complete HELLO and retry once you have the required
key material. You can feed the HELLO back into a new SSL conneciton via an
associated BIO_pair.
So your approach is not especially inelegant.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
