classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view


Christophe Truc

My application server can receive 2 types of incoming connections, either from user requests (such as Firefox) or from a proprietary client for which the HTTP requests are controlled. I want to enforce client verification for the proprietary client connections, not for the user requests. Unfortunately, I have very few possibilities for determining the connection type, everybody connect on the same TCP port.

Because I control the proprietary client connections, I tries using the ALPN extension. In this case, my application server can detect the ALPN extension and enforce the client verification. In order to implement this, I tried using SSL_set_SSL_CTX in the ALPN callback. Because this function does not seem to copy the verify_mode flag, I also applied SSL_set_verify and SSL_set_verify_depth on the SSL handle.

The client certificate is requested and verified but OpenSSL then fails with an internal error. I managed to make it work with the same mechanism applied to SNI. My questions are:
   - Is it expected to have the error when using the ALPN callback? i had the feeling that it would be more appropriate to use this extension in this case.
   - Is it valid to use SNI this way? The registered server_name is an ASCII keyword used to detect the inbound request type, not a real server name.

Thank you,

openssl-users mailing list
To unsubscribe: