On Aug 19, 2014, at 7:50 AM, Susan Hinrichs <shinr...@network-geographics.com> wrote:
> Good morning, all. > > I've been working on implementing the SSL plugin extensions described in > TS-3006. Documentation is at > http://network-geographics.com/ats/docs/ssl-api.en.html. The features have > been implemented, and I am in the testing stage right now. Thanks for the docs, this looks very promising. When you are ready to submit patches, this will need API review <https://cwiki.apache.org/confluence/display/TS/API+Review+Process>. > Looking for feedback on the design. Please comment on the bug or reply to > the mailing list. There's already and API to get the SSL *, TSHttpSsnSSLConnectionGet. I don't see the need for a TSSslVConn, the TSHttpSsn should be sufficient. The type of SSL_callback is TSEventFunc, right? Why do TSSslCertFindByName() and TSSslCertFindByAddress() take a TSSslVConn argument? Are TS_SSL_CLIENT_PRE_HANDSHAKE_HOOK and TS_SSL_SNI_HOOK session hooks? If so, they should follow the session hook naming conventions. If not, how do do register these hooks? Ok, in the examples I see TSSslHookAdd ... could this be implemented with session hooks? Previously, then we looked at SSL integration APIs, we eschewed wrapped types like TSSslContext in favour of directly returning OpenSSL pointers (as void *). My argument at the time was that there's a lot of API surface needed to deal with SSL and not much value in just wrapping OpenSSL. How do you get the client and server sockaddr for calling TSSslCertFindByAddress? This is another reason I'd prefer to use TSHttpSsn. Oh, wow, I did not know we had TSNetVConn*AddrGet :) There's no TSSslVConnOp value for the default action? ie. to just accept the SSL session? IIRC, OpenSSL doesn't guarantee anything about the SNI name except that is is a bag of bytes. Is it OK for TSSslVConnServernameGet() to present that as a C string? Finally, I'm not thrilled with the idea of using ssl_multicert.config to specify the tunneling action. What would you do if you had a wildcard cert and only wanted to tunnel a specific name? cheers, James
