Description
When starting to proxy a SSL connection, it would be nice to have the servername available for decision making. The SNI callback gives us this information. The SNI callback is currently used by core. Plugins may also want to execute their own logic at the SNI callback. They can do that now using the openssl calls directly, but that would remove the core SNI callback processing.
We should add plugin calls to register code to be executed in the SNI callback for a connection. The plugin code would be executed after the core SNI callback logic.
In addition, there are scenarios when it would be useful to change how things are processed after learning the server name, e.g., decide to blind tunnel instead of proxy tunnel (see TS-2956) or perform some different certificate calculations. Performing these extended operations are not feasible within the SNI callback. Instead we want to break out of the SSL_accept() and perform some other logic.
Openssl as it stands does not allow to break out of the openssl handshake from the SNI callback short of issuing an error (which would send an error message back to the client). We have created a patch that adds a new return which breaks out of the SSL_accept() with a non-error but non-complete return (like needs to read). If that patch was present, the core logic could be extended to adjust processing.
In the blind tunnel case, the core logic could resend the first message (client hello) directly to the original server and move into the blind tunnel processing for the connection. In a certificate case, the core logic or some plugin logic could perform some certificate calculations and then try the SSL_accept() again at some later point in time.
Attachments
Attachments
Issue Links
- breaks
-
TS-3257 possible memory leak in v5.2.0
- Closed
- is related to
-
TS-3319 Adapt to Openssl 1.0.2 Certificate Callback
- Closed
- relates to
-
TS-3097 Reloading SSL certificates crashes
- Closed
-
TS-2956 Add ssl_pre_handshake hook for better plugin access to SSL handling and allow for combination of blind tunnel and tunnel proxying
- Closed
- supercedes
-
TS-2058 Traffic server fails to start with lots of SNI ssl certs defined
- Closed