On 28 Oct 2014, at 1:30 PM, Florian Weimer <f...@deneb.enyo.de> wrote:
> * Graham Leggett: > >> I have a need to parse the first incoming hello packet on an >> incoming TLS connection and based on the presence (or absence) of >> the SNI header, choose to pass the connection through to another >> server. > > I think you'll need to work with BIOs to make a copy of the initial > handshake messages and prevent the OpenSSL code from sending any data, > install a server name callback (see SSL_CTX_callback_ctrl and > SSL_CTRL_SET_TLSEXT_SERVERNAME_CB), and abort the connection from > OpenSSL's point of view at that point. You then know the SNI value > and can forward the stored handshake messages to the correct server. > > The callback is invoked fairly late, so OpenSSL needs to be able to > parse the handshake messages. A separate Client Hello parser is not > part of the OpenSSL public API. Is there a way to know whether the initial handshake has arrived fully? Should I just call SSL_read() over and over until the point at which it wants to write data, and go “initial handshake is done”? Regards, Graham — ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
