Great... This is exactly the location to do all the nasty stuff, this callback happens before all the other callbacks and you should be able to setup some stuff for the following callbacks.
@Susan : are there plans to make the client hello callback an async hook for plugins? We were planning to do this when OpenSSL 1.1.1 was common, as it solves a lot of cases where you want to limit protocols and ALPN negotiations.... And will a hook play nice with the defined actions? I haven't kept an eye on the connection level data and lifecycle hooks for plugins, as you would need this in a plugin to maybe propogate some context , has this been merged? On Thu, 17 Jan 2019 at 18:03, Susan Hinrichs <shinr...@oath.com.invalid> wrote: > Possibly. I would need to look at when the ALPN negotiation happens. > However, the protocol options on the SSL object seems to get sticky really > fast, so I wouldn't hold my breath. > > On Wed, Jan 16, 2019 at 7:56 PM Leif Hedstrom <zw...@apache.org> wrote: > > > > > > > > On Jan 16, 2019, at 4:33 PM, Susan Hinrichs <shinr...@apache.org> > wrote: > > > > > > I know that I had a discussion on this with Miles and Alan, but I can > > find > > > no written record. The desire is on a per domain (SNI) basis alter the > > set > > > of TLS protocols that ATS is willing to accept. > > > > > > I put up a PR with an addition to ssl_server_name.yaml to do this. > There > > > is documentation in the PR and an example in the autest. > > > > > > One caveat is this only works in openssl 1.1.1 or better. We need very > > > early callback to alter how the SSL structure is interpreted. openssl > > > 1.1.1 adds a client_hello callback which does the trick. > > > > > > https://github.com/apache/trafficserver/pull/4815 > > > > > > Comments on the PR appreciated. > > > > > > Cool! > > > > Can this (later) be generalized to also allow ALPN negotiations to > dictate > > protocol features? For example, HTTP/2 dictates that only TLS v1.2 or > later > > is to be used, something that we (ATS) do not enforce at this point? At > > least I don’t think we do? There’s also a long blacklist of cipher suites > > for HTTP/2. > > > > Cheers, > > > > — Leif > > > > >
