-
Notifications
You must be signed in to change notification settings - Fork 29.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tls: use SSL_set_cert_cb
for async SNI/OCSP
#1464
Conversation
0a9c681
to
8c05fed
Compare
8c05fed
to
7b45a8f
Compare
CI: 🔵 |
loadSNI(self, servername, function(err, ctx) { | ||
if (err) | ||
return self.destroy(err); | ||
requestOCSP(self, info, ctx, function(err) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ctx
is undefined
if (!servername || !self._SNICallback) in loadSNI. Do we require SNI to use OCSP stapling?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nope, we don't :)
I finished my review and put a few comments. |
Thank you, @shigeki ! Does it LGTY? |
Yes LGTM |
@bnoordhuis: could you PTAL too? |
Do not enable ClientHello parser for async SNI/OCSP. Use new OpenSSL-1.0.2's API `SSL_set_cert_cb` to pause the handshake process and load the cert/OCSP response asynchronously. Hopefuly this will make whole async SNI/OCSP process much faster and will eventually let us remove the ClientHello parser itself (which is currently used only for async session, see nodejs#1462 for the discussion of removing it). NOTE: Ported our code to `SSL_CTX_add1_chain_cert` to use `SSL_CTX_get0_chain_certs` in `CertCbDone`. Test provided for this feature. Fix: nodejs#1423
f837f3a
to
52ec001
Compare
Will land it in master soon. |
Do not enable ClientHello parser for async SNI/OCSP. Use new OpenSSL-1.0.2's API `SSL_set_cert_cb` to pause the handshake process and load the cert/OCSP response asynchronously. Hopefuly this will make whole async SNI/OCSP process much faster and will eventually let us remove the ClientHello parser itself (which is currently used only for async session, see #1462 for the discussion of removing it). NOTE: Ported our code to `SSL_CTX_add1_chain_cert` to use `SSL_CTX_get0_chain_certs` in `CertCbDone`. Test provided for this feature. Fix: #1423 PR-URL: #1464 Reviewed-By: Shigeki Ohtsu <[email protected]>
Do not enable ClientHello parser for async SNI/OCSP. Use new OpenSSL-1.0.2's API `SSL_set_cert_cb` to pause the handshake process and load the cert/OCSP response asynchronously. Hopefuly this will make whole async SNI/OCSP process much faster and will eventually let us remove the ClientHello parser itself (which is currently used only for async session, see nodejs#1462 for the discussion of removing it). NOTE: Ported our code to `SSL_CTX_add1_chain_cert` to use `SSL_CTX_get0_chain_certs` in `CertCbDone`. Test provided for this feature. Fix: nodejs#1423 PR-URL: nodejs#1464 Reviewed-By: Shigeki Ohtsu <[email protected]>
The OCSP info from parsing the TLS ClientHello has not been used since 550c263, remove it. See: nodejs#1464
The OCSP info from parsing the TLS ClientHello has not been used since 550c263, remove it. See: #1464 PR-URL: #25153 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Anatoli Papirovski <[email protected]>
The OCSP info from parsing the TLS ClientHello has not been used since 550c263, remove it. See: #1464 PR-URL: #25153 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Anatoli Papirovski <[email protected]>
The OCSP info from parsing the TLS ClientHello has not been used since 550c263, remove it. See: nodejs#1464 PR-URL: nodejs#25153 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Anatoli Papirovski <[email protected]>
The OCSP info from parsing the TLS ClientHello has not been used since 550c263, remove it. See: nodejs#1464 PR-URL: nodejs#25153 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Anatoli Papirovski <[email protected]>
Do not enable ClientHello parser for async SNI/OCSP. Use new
OpenSSL-1.0.2's API
SSL_set_cert_cb
to pause the handshake process andload the cert/OCSP response asynchronously. Hopefuly this will make
whole async SNI/OCSP process much faster and will eventually let us
remove the ClientHello parser itself (which is currently used only for
async session, see #1462 for the discussion of removing it).
NOTE: Ported our code to
SSL_CTX_add1_chain_cert
to useSSL_CTX_get0_chain_certs
inCertCbDone
. Test provided for thisfeature.
Fix: #1423
R=@bnoordhuis and @shigeki
cc @iojs/crypto