Hi!
My application
server can receive 2 types of incoming connections, either from user
requests (such as Firefox) or from a proprietary client for which the
HTTP requests are controlled. I want to enforce client verification for
the proprietary client connections, not for the user requests.
Unfortunately, I have very few possibilities for determining the
connection type, everybody connect on the same TCP port.
Because
I control the proprietary client connections, I tries using the ALPN
extension. In this case, my application server can detect the ALPN
extension and enforce the client verification. In order to implement
this, I tried using SSL_set_SSL_CTX in the ALPN callback. Because this
function does not seem to copy the verify_mode flag, I also applied
SSL_set_verify and SSL_set_verify_depth on the SSL handle.
The
client certificate is requested and verified but OpenSSL then fails
with an internal error. I managed to make it work with the same
mechanism applied to SNI. My questions are:
- Is it expected
to have the error when using the ALPN callback? i had the feeling that
it would be more appropriate to use this extension in this case.
- Is it valid to use SNI this way? The registered server_name is an
ASCII keyword used to detect the inbound request type, not a real server
name.
Thank you,
Chris.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
