On 11/18/14, 8:48 AM, "James Peach" <jpe...@apache.org> wrote:
> >> On Nov 18, 2014, at 8:38 AM, Sudheer Vinukonda >><sudhe...@yahoo-inc.com.INVALID> wrote: >> >> Hi James, >> >> How can my_awesome_callback() know the specific custom NPN advertisement >> list for a given netVC? > >It would know this in the same way the plugin knows what to pass into >your proposed API. Umm, the plugin gets this info from the user configuration. It seems that you are suggesting to handle this config in the core directly? If so, the most logical place to put that config would then be ssl_multicert.config, but, that approach was not accepted originally. This API provides a way to achieve the same result via a plugin. "James Peach <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=jamespeach> added a comment - 24/Oct/14 12:14 I'm a bit concerned about how this would be configured. I'm worried about feature creep inssl_multicert.config and how this kind of configuration overlaps the ports configuration.ssl_multicert.config needs a real overhaul to allow better control over SSL features, and this might fall into that category, but I'd really like to avoid ending up with 3 different ways to configure protocols." > >> The purpose of the API is not to trigger the callback, but, to >> update/modify the npnAdvertised list for a given netVC. > >Which is exactly what setting the callback does. > >> The callback part is trivial and I basically would do something similar >>to >> what you pointed (I just reuse the existing advertise_next_protocol() >> callback instead of my_awesome_callback(), but, check (and use) if >>there¹s >> a custom npnAdvertised list set for that netVC). >> >> For example, if we have >> >> SNI=<domain1>; http/1.1,spdy/3.1 >> SNI=<domain2>; spdy/3.1,http/1.1 >> >> All connections with SNI=domain1, needs to be advertised ³http/1.1, >> spdy/3.1², while the ones with domain2 needs to get the opposite. >> >> Thanks, >> >> Sudheer >> >> >> >> On 11/18/14, 8:28 AM, "James Peach" <jpe...@apache.org> wrote: >> >>> >>>> On Nov 17, 2014, at 4:09 PM, Sudheer Vinukonda >>>> <sudhe...@yahoo-inc.com.INVALID> wrote: >>>> >>>> Hi All, >>>> >>>> I would like add a new API TSSslAdvertiseProtocolSet(), to address the >>>> requirement of modifying the NPN advertising list for each SSL >>>> connection >>>> based on SNI (please refer TS-3153). >>>> >>>> https://issues.apache.org/jira/browse/TS-3153 >>>> >>>> >>>> Below is a brief description of the API. Please review and provide >>>> comments/concerns. >>> >>> Why do you need this API when you can just do: >>> >>> SSL_CTX_set_next_protos_advertised_cb(TSVConnSSLConnectionGet(vc), >>> my_awesome_callback, foo); >>> >>>> >>>> >>>> >>>> +TSSslAdvertiseProtocolSet >>>> +============ >>>> + >>>> +Synopsis >>>> +-------- >>>> + >>>> +`#include <ts/ts.h>` >>>> + >>>> +.. c:function:: TSReturnCode TSSslAdvertiseProtocolSet(TSVConn sslp, >>>> const unsigned char ** list, unsigned int count); >>>> + >>>> +Description >>>> +----------- >>>> + >>>> + Modifies the NPN advertisement list for a given SSL connection >>>>with >>>> :arg:`list`. If :arg:`count` is 0, sets the NPN advertisement list to >>>> the >>>> default registered protocol list for the end point. Note that, the >>>> plugin >>>> that uses this API owns the :arg:`list` and is responsible for making >>>> sure >>>> it points to a valid memory. >>>> + >>>> >>>> >>>> >>>> Thanks, >>>> >>>> Sudheer >>>> >>> >> >
