tls: use SSL_set_cert_cb for async SNI/OCSP#1464
Closed
indutny wants to merge 2 commits intonodejs:masterfrom
Closed
tls: use SSL_set_cert_cb for async SNI/OCSP#1464indutny wants to merge 2 commits intonodejs:masterfrom
SSL_set_cert_cb for async SNI/OCSP#1464indutny wants to merge 2 commits intonodejs:masterfrom
Conversation
indutny
force-pushed
the
feature/cert-cb
branch
from
0a9c681 to
8c05fed
Compare
Member
Author
indutny
force-pushed
the
feature/cert-cb
branch
from
8c05fed to
7b45a8f
Compare
Member
Author
|
CI: 🔵 |
Contributor
There was a problem hiding this comment.
ctx is undefined if (!servername || !self._SNICallback) in loadSNI. Do we require SNI to use OCSP stapling?
Contributor
|
I finished my review and put a few comments. |
Member
Author
|
Thank you, @shigeki ! Does it LGTY? |
Contributor
|
Yes LGTM |
Member
Author
|
@bnoordhuis: could you PTAL too? |
Do not enable ClientHello parser for async SNI/OCSP. Use new OpenSSL-1.0.2's API `SSL_set_cert_cb` to pause the handshake process and load the cert/OCSP response asynchronously. Hopefuly this will make whole async SNI/OCSP process much faster and will eventually let us remove the ClientHello parser itself (which is currently used only for async session, see nodejs#1462 for the discussion of removing it). NOTE: Ported our code to `SSL_CTX_add1_chain_cert` to use `SSL_CTX_get0_chain_certs` in `CertCbDone`. Test provided for this feature. Fix: nodejs#1423
indutny
force-pushed
the
feature/cert-cb
branch
from
f837f3a to
52ec001
Compare
Member
Author
|
Will land it in master soon. |
indutny
added a commit
that referenced
this pull request
May 1, 2015
Do not enable ClientHello parser for async SNI/OCSP. Use new OpenSSL-1.0.2's API `SSL_set_cert_cb` to pause the handshake process and load the cert/OCSP response asynchronously. Hopefuly this will make whole async SNI/OCSP process much faster and will eventually let us remove the ClientHello parser itself (which is currently used only for async session, see #1462 for the discussion of removing it). NOTE: Ported our code to `SSL_CTX_add1_chain_cert` to use `SSL_CTX_get0_chain_certs` in `CertCbDone`. Test provided for this feature. Fix: #1423 PR-URL: #1464 Reviewed-By: Shigeki Ohtsu <[email protected]>
Member
Author
Fishrock123
pushed a commit
to Fishrock123/node
that referenced
this pull request
May 19, 2015
Do not enable ClientHello parser for async SNI/OCSP. Use new OpenSSL-1.0.2's API `SSL_set_cert_cb` to pause the handshake process and load the cert/OCSP response asynchronously. Hopefuly this will make whole async SNI/OCSP process much faster and will eventually let us remove the ClientHello parser itself (which is currently used only for async session, see nodejs#1462 for the discussion of removing it). NOTE: Ported our code to `SSL_CTX_add1_chain_cert` to use `SSL_CTX_get0_chain_certs` in `CertCbDone`. Test provided for this feature. Fix: nodejs#1423 PR-URL: nodejs#1464 Reviewed-By: Shigeki Ohtsu <[email protected]>
sam-github
added a commit
to sam-github/node
that referenced
this pull request
Dec 27, 2018
The OCSP info from parsing the TLS ClientHello has not been used since 550c263, remove it. See: nodejs#1464
sam-github
added a commit
that referenced
this pull request
Dec 28, 2018
The OCSP info from parsing the TLS ClientHello has not been used since 550c263, remove it. See: #1464 PR-URL: #25153 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Anatoli Papirovski <[email protected]>
targos
pushed a commit
that referenced
this pull request
Jan 1, 2019
The OCSP info from parsing the TLS ClientHello has not been used since 550c263, remove it. See: #1464 PR-URL: #25153 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Anatoli Papirovski <[email protected]>
refack
pushed a commit
to refack/node
that referenced
this pull request
Jan 14, 2019
The OCSP info from parsing the TLS ClientHello has not been used since 550c263, remove it. See: nodejs#1464 PR-URL: nodejs#25153 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Anatoli Papirovski <[email protected]>
sam-github
added a commit
to sam-github/node
that referenced
this pull request
Apr 29, 2019
The OCSP info from parsing the TLS ClientHello has not been used since 550c263, remove it. See: nodejs#1464 PR-URL: nodejs#25153 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Anatoli Papirovski <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Do not enable ClientHello parser for async SNI/OCSP. Use new
OpenSSL-1.0.2's API
SSL_set_cert_cbto pause the handshake process andload the cert/OCSP response asynchronously. Hopefuly this will make
whole async SNI/OCSP process much faster and will eventually let us
remove the ClientHello parser itself (which is currently used only for
async session, see #1462 for the discussion of removing it).
NOTE: Ported our code to
SSL_CTX_add1_chain_certto useSSL_CTX_get0_chain_certsinCertCbDone. Test provided for thisfeature.
Fix: #1423
R=@bnoordhuis and @shigeki
cc @iojs/crypto