Expose SSL_set1_groups to Efficiently Set Curves on SSL Session#346
Expose SSL_set1_groups to Efficiently Set Curves on SSL Session#346kornelski merged 3 commits intocloudflare:masterfrom
Conversation
|
Hi @cjpatton! I believe Since BoringSSL doesn't copy the curve list from the context into the SSL object, we need to set the curves directly on each SSL session to support different configurations for different SNIs. |
|
We're talking about deprecating set_curves in favour of set_curves_list. Does that cause problems for you? |
|
Hi @bwesterb. Are you referring to the Ideally, we'd like to use the |
Have you timed it? If it's significant, we can work with upstream to allow preparsing. |
kornelski
left a comment
kornelski
left a comment
There was a problem hiding this comment.
Looks okay, except I'd prefer a newtype instead of c_int in the API.
Justin-Kwan
force-pushed
the
cf-set-session-curves
branch
from
f13c651 to
1be437c
Compare
|
Thanks for the feedback and review @kornelski! |
|
@kornelski Thank you for the help, happy to see build is passing! |
4 participants
Description
Exposes BoringSSL method
SslRef::set_groups->SSL_set1_groupsto directly set curve groups against an ongoing SSL session. This is necessary because in boringssl, callingSSL_set_SSL_CTXto switch theSSL_CTXdoes not update the supported group list (supported_group_list) on the existing SSL session object. We must set the curve list directly on the session after the SSL object is created but before the handshake begins.SSL_set1_groupsis more efficient than the currently exposedSslRef::set_curves_list->SSL_set1_groups_listwhich uses more complicated parsing logic to parse colon delimited groups in stringExposes BoringSSL method
SslRef::set_options->SSL_set_optionsto directly set options against an ongoing SSL session (ex. enableboring::ssl::SslOptions::CIPHER_SERVER_PREFERENCEfor a specific SNI only)