Peter Sylvester wrote: > It happened that I played with this a bit. > > It is not just that you have a list of servers in one context, all > parameters of the server e;g. requirements for user certs etc can be > different, so a separate SSL_CTX seems useful. > does this theoretically rule out usage of 1 SSL_CTX for multiple virtual servers (the case where each one has a separate certificate)?
I think not..I this just a easier solution..one can achieve this with a single SSL_CTX, but programatically tedious(well..thats relative)..before the SSL_accept is called, we should know what certificate the server needs to send out as part of the SSL Handshake based on some information such as IP/Subnet or whatever..the application needs to maintain a stack of x509.. one can dynamically override the SSL_CTX cert by replacing the SSL_OBJ cert..remember the latter only inherits the defaults of SSL_CTX..programmer can replace the values inside SSL_OBJ.. Think interms of SSL_OBJ and not SSL_CTX.. What about the case where 1 server can have several certificates for itself, each signed by a different root CA? Can this be done? > Enclosed a patch for the snapshot of today (try s_server and s_client > with -servername abc) > > There is an SSL_ctrl routine to switch to another SSL_CTX which has to > fiddle a bit in > with the SSL, since the cert is cached. > Thanks, jimmy ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
