[Security-sig] Unified TLS API for Python
Cory Benfield
cory at lukasa.co.uk
Fri Jan 13 11:37:14 EST 2017
> On 13 Jan 2017, at 16:35, Christian Heimes <christian at cheimes.de> wrote:
>
> How would this work for OpenSSL? In OpenSSL the SNI callback replaces
> the SSL_CTX of a SSL socket pointer with another SSL_CTX. The new
> SSL_CTX takes care of cipher negotiation, certs and other handshake
> details. The SSL_CTX should be reused in order to benefit from cached
> certs, HSM stuff and cached sessions. OpenSSL binds sessions to SSL_CTX
> instances.
>
> A callback looks more like this:
>
> contexts = {
> 'www.example.org': SSLContext(cert1, key1),
> 'internal.example.com': SSLContext(cert2, key2),
> }
>
> def sni_callback(sock, hostname):
> sock.context = contexts[hostname]
If the goal is to keep those contexts static, the best thing to do is to cache the context based on the configuration. Because configurations should be static they should be hashable, which would mean that the ServerContext can keep an internal dictionary of {configuration: SSLContext}. When the new configuration is returned, it can simply pull the context out of the cache as needed.
Cory
More information about the Security-SIG
mailing list