tls: use SSL_set_cert_cb for async SNI/OCSP #1464
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
indutny force-pushed the feature/cert-cb branch from 0a9c681 to 8c05fed Compare 
indutny force-pushed the feature/cert-cb branch from 8c05fed to 7b45a8f Compare | CI: 🔵 |
There was a problem hiding this comment.
ctx is undefined if (!servername || !self._SNICallback) in loadSNI. Do we require SNI to use OCSP stapling?
| I finished my review and put a few comments. |
| Thank you, @shigeki ! Does it LGTY? |
| Yes LGTM |
| @bnoordhuis: could you PTAL too? |
Do not enable ClientHello parser for async SNI/OCSP. Use new OpenSSL-1.0.2's API `SSL_set_cert_cb` to pause the handshake process and load the cert/OCSP response asynchronously. Hopefuly this will make whole async SNI/OCSP process much faster and will eventually let us remove the ClientHello parser itself (which is currently used only for async session, see nodejs#1462 for the discussion of removing it). NOTE: Ported our code to `SSL_CTX_add1_chain_cert` to use `SSL_CTX_get0_chain_certs` in `CertCbDone`. Test provided for this feature. Fix: nodejs#1423
indutny force-pushed the feature/cert-cb branch from f837f3a to 52ec001 Compare | Will land it in master soon. |
indutny added a commit that referenced this pull request May 1, 2015
Do not enable ClientHello parser for async SNI/OCSP. Use new OpenSSL-1.0.2's API `SSL_set_cert_cb` to pause the handshake process and load the cert/OCSP response asynchronously. Hopefuly this will make whole async SNI/OCSP process much faster and will eventually let us remove the ClientHello parser itself (which is currently used only for async session, see #1462 for the discussion of removing it). NOTE: Ported our code to `SSL_CTX_add1_chain_cert` to use `SSL_CTX_get0_chain_certs` in `CertCbDone`. Test provided for this feature. Fix: #1423 PR-URL: #1464 Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Fishrock123 pushed a commit to Fishrock123/node that referenced this pull request May 19, 2015
Do not enable ClientHello parser for async SNI/OCSP. Use new OpenSSL-1.0.2's API `SSL_set_cert_cb` to pause the handshake process and load the cert/OCSP response asynchronously. Hopefuly this will make whole async SNI/OCSP process much faster and will eventually let us remove the ClientHello parser itself (which is currently used only for async session, see nodejs#1462 for the discussion of removing it). NOTE: Ported our code to `SSL_CTX_add1_chain_cert` to use `SSL_CTX_get0_chain_certs` in `CertCbDone`. Test provided for this feature. Fix: nodejs#1423 PR-URL: nodejs#1464 Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
sam-github added a commit to sam-github/node that referenced this pull request Dec 27, 2018
The OCSP info from parsing the TLS ClientHello has not been used since 550c263, remove it. See: nodejs#1464
sam-github added a commit that referenced this pull request Dec 28, 2018
The OCSP info from parsing the TLS ClientHello has not been used since 550c263, remove it. See: #1464 PR-URL: #25153 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Anatoli Papirovski <apapirovski@mac.com>
targos pushed a commit that referenced this pull request Jan 1, 2019
The OCSP info from parsing the TLS ClientHello has not been used since 550c263, remove it. See: #1464 PR-URL: #25153 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Anatoli Papirovski <apapirovski@mac.com>
refack pushed a commit to refack/node that referenced this pull request Jan 14, 2019
The OCSP info from parsing the TLS ClientHello has not been used since 550c263, remove it. See: nodejs#1464 PR-URL: nodejs#25153 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Anatoli Papirovski <apapirovski@mac.com>
sam-github added a commit to sam-github/node that referenced this pull request Apr 29, 2019
The OCSP info from parsing the TLS ClientHello has not been used since 550c263, remove it. See: nodejs#1464 PR-URL: nodejs#25153 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Anatoli Papirovski <apapirovski@mac.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
Do not enable ClientHello parser for async SNI/OCSP. Use new
OpenSSL-1.0.2's API
SSL_set_cert_cbto pause the handshake process andload the cert/OCSP response asynchronously. Hopefuly this will make
whole async SNI/OCSP process much faster and will eventually let us
remove the ClientHello parser itself (which is currently used only for
async session, see #1462 for the discussion of removing it).
NOTE: Ported our code to
SSL_CTX_add1_chain_certto useSSL_CTX_get0_chain_certsinCertCbDone. Test provided for thisfeature.
Fix: #1423
R=@bnoordhuis and @shigeki
cc @iojs/crypto