Hi! My application server can receive 2 types of incoming connections, either from user requests (such as Firefox) or from a proprietary client for which the HTTP requests are controlled. I want to enforce client verification for the proprietary client connections, not for the user requests. Unfortunately, I have very few possibilities for determining the connection type, everybody connect on the same TCP port.
Because I control the proprietary client connections, I tries using the ALPN extension. In this case, my application server can detect the ALPN extension and enforce the client verification. In order to implement this, I tried using SSL_set_SSL_CTX in the ALPN callback. Because this function does not seem to copy the verify_mode flag, I also applied SSL_set_verify and SSL_set_verify_depth on the SSL handle. The client certificate is requested and verified but OpenSSL then fails with an internal error. I managed to make it work with the same mechanism applied to SNI. My questions are: - Is it expected to have the error when using the ALPN callback? i had the feeling that it would be more appropriate to use this extension in this case. - Is it valid to use SNI this way? The registered server_name is an ASCII keyword used to detect the inbound request type, not a real server name. Thank you, Chris.
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
