jimmy wrote:
It depends to what degree you accept modifying internal features of openssl SSL and SSL_CTX objects, or toPeter Sylvester wrote:does this theoretically rule out usage of 1 SSL_CTX for multiple virtual servers (the case where each one has a separate certificate)?It happened that I played with this a bit.It is not just that you have a list of servers in one context, all parameters of the server e;g. requirements for user certs etc can bedifferent, so a separate SSL_CTX seems useful.
add new functions in the api.
What about the case where 1 server can have several certificates for itself, each signed by a different root CA? Can this be done?
Some possible steps- define one or more ways allowing the server to select one of its 'configurations', based on called IP address, port,
servername extension, or whatever else information you have available.- As soon as you have that you can look at an implementation: If you make your decision before having read anything, then you can easily use a different SSL_CTX, this is the actual logic in apeche for example. - If you need to look at the client hello, then you are already in a session, i.e. you have a SSL object. Thus, in some way, the library or your application must make a decision. A flexible way is to give a callback to the application so it can inspect the information from the client hello, and then, do whatever magic or better some allowed actions to change the SSL object depending on the needs of the application architecture and,
of course, on the possibilities of the openssl API.- I don't think one should expect too much magics for all kind of configurations available inside the openssl library. Compree it aslo with the possibilities of what can be done selecting a client cert. There is no code inside the library that selects based on the CA names, but there is a callback for an application.
--To verify the signature, see http://edelpki.edelweb.fr/ Cela vous permet de charger le certificat de l'autorité; die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.
smime.p7s
Description: S/MIME Cryptographic Signature
