Originally, I was planning on leaving in plugin support for both the SNI
callback and the cert callback. But as I reflect, I question that
decision. I think it adds complexity without giving more power to the
plugin writer.
Both callbacks take place at the same point in the handshake. From both
callbacks you can set the certificate. Depending on the version and
patch level, only one of the callbacks will let you pause processing.
Perhaps it is better to support only point for the plugin to callback
after the client hello during the handshake processing? If we did that,
ATS could adapt depending on the linked version of openssl and the
plugin would not change. I'd still add a TS_SSL_CERT_HOOK for clarity,
but I'd make it the same value as TS_SSL_SNI_HOOK. If openssl 1.0.1 is
linked, it would execute the plugin's callback during the SNI callback.
If openssl 1.0.2 is linked, it would execute the plugin's callback
during the certificate callback.
What are people's thoughts?
Thanks,
Susan
On 1/27/2015 10:08 AM, Susan Hinrichs wrote:
Hi All,
With 1.0.2 openssl expanded their support of the certificate callback
to handle pausing processing during the SSL handshake negotiation.
This replaces the functionality I added to the SNI callback in my
patch for openssl 1.0.1.
With TS-3319, I'm updating the ATS callback logic to support the
certificate callback if you are compiling against openssl 1.0.2.
There is a new hook constant, TS_SSL_CERT_HOOK. If you had a SNI
callback that was pausing the handshake to make decisions about the
certificate, you can move it from the TS_SSL_SNI_HOOK to the
TS_SSL_CERT_HOOK.
I'm finishing tidying up TS-3319. It should be ready later today or
tomorrow.
Susan
