httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <cove...@gmail.com>
Subject Re: sni+alpn, vhost+certs
Date Wed, 17 Jun 2015 12:23:58 GMT
On Wed, Jun 17, 2015 at 8:21 AM, Stefan Eissing
<stefan.eissing@greenbytes.de> wrote:
> 1. connection, setup for base server and defaults
> 2. client hello arrives
> 3. ALPN callback is invoked by openssl
> 4. ALPN protocol is chosen, this triggers the server answer
> 5. SNI callback is invoked by openssl and sets up vhost info and configs
> 6. Oops.
>
> Lacking the SNI name and vhost setups, the sendback in 4 seems to fallback to the default
vhost selection and that certificate is used to answer the call.
>
> The issue has been reported by me on the openssl dev list. As a workaround for now and
compatibility to older openssl versions, I propose to add to the ALPN patch something that
> a) checks in ALPN callback if vhost has been setup by SNI callback
> b) if not, retrieves SNI servername via SSL_get_servername()
> c) if servername is returned, setup vhost just like in SNI callback
> d) if SNI callback is invoked and vhost has been setup already, nop
>
> Sounds reasonable?


Seems fair

-- 
Eric Covener
covener@gmail.com

Mime
View raw message