0

I have implemented SNI using OpenSSL but not using an OpenSSL config file (cnf). I am loading a server SSL_CTX doing the following:

 FILE *fp;
 CONF *cnf = NULL;
 long eline;

 fp = fopen("/somepath/app.cnf", "r");
 if (fp == NULL) {
     fprintf(stderr, "Error opening configuration file\n");
     /* Other missing configuration file behaviour */
 } else {
     cnf = NCONF_new(NULL);
     if (NCONF_load_fp(cnf, fp, &eline) == 0) {
         fprintf(stderr, "Error on line %ld of configuration file\n", eline);
         ERR_print_errors_fp(stderr);
         /* Other malformed configuration file behaviour */
     } else if (CONF_modules_load(cnf, "appname", 0) <= 0) {
         fprintf(stderr, "Error configuring application\n");
         ERR_print_errors_fp(stderr);
         /* Other configuration error behaviour */
     }
     fclose(fp);
     NCONF_free(cnf);
 }

It works fine, but now I am trying to implement server-side SNI using the OpenSSL config file and I don't know how can I get the required information to do it. I have taken a look to How to implement Server Name Indication (SNI) and this is a good explanation to do it without openssl config file. But that doesn't work using the file.

How can I determine if the server have the certificate requested? Maybe openssl provides the proper certificate by itself?

jijklmm
  • 1
  • 1
  • What exactly do you mean by "implement server-side SNI"? From the server's side, it's the client that fills in the SNI data - or doesn't fill it in. – Andrew Henle Apr 09 '19 at 11:28
  • Yes, but from the server side you can have multiple SSL certs. In first place, get the SNI data sent by the client and match which of the certs should use the server. This is pretty easy when you have one SSL_CTX for each cert, but if we are configurating the SSL_CTX by using the cnf file, we cannot determine how many certs we have already and identify them by the SNI data. – jijklmm Apr 09 '19 at 14:28
  • 1
    The configuration file deals with various OpenSSL configuration items (ciphers, default values etc.) not with certificates to use. After your code you still need to create an OpenSSL context, etc. so the other question you link to is valid for your case too. – Patrick Mevzek Apr 09 '19 at 15:06

0 Answers0