-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add certificate selection callback #5430
Comments
Mbed-TLS#5430 Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
#5454 "server certificate selection callback" submitted as a Draft for discussion. |
Mbed-TLS#5430 Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
Mbed-TLS#5430 Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
Mbed-TLS#5430 Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
Mbed-TLS#5430 Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
Mbed-TLS#5430 Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
Renaming to "add certificate selection callback" - after discussion with the team, we agreed that new callbacks should not be named after a particular point in the handshake, but after the action they're meant to allow. Handshake flows might change between versions and it's our job to shield users from those low-level details and just run the callback at the right time for the associated action. |
Mbed-TLS#5430 Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
Suggested enhancement
Add a new callback (server-side) that's called at the right time for the server to select a certificate.
Constraints:
Justification
Mbed TLS needs this because sometimes the server needs to adjust its behaviour based on multiple extensions, so per-extension callback (such as the existing SNI callback) are not enough. An example is servers who want to support the ACME "tls-alpn-01" challenge, where certificate selection needs to happen based not only on SNI but also ALPN extension, as reported in #5331.
Finally, it appears there's a similar callback in OpenSSL since 1.0.2 and people are using it.
The text was updated successfully, but these errors were encountered: