[exim-cvs] Explain the 3 SSL_CTX we have

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Exim Git Commits Mailing List
Ημερομηνία:  
Προς: exim-cvs
Αντικείμενο: [exim-cvs] Explain the 3 SSL_CTX we have
Gitweb: http://git.exim.org/exim.git/commitdiff/d4f09789499b5a665a0e79d6ed0086806fc7b648
Commit:     d4f09789499b5a665a0e79d6ed0086806fc7b648
Parent:     490b427c90a7540d592fa3cf9017a76b84f5d65e
Author:     Phil Pennock <pdp@???>
AuthorDate: Sun Dec 2 18:55:49 2012 -0500
Committer:  Phil Pennock <pdp@???>
CommitDate: Sun Dec 2 18:55:49 2012 -0500


    Explain the 3 SSL_CTX we have
---
 src/src/tls-openssl.c |   19 +++++++++++++++++++
 1 files changed, 19 insertions(+), 0 deletions(-)


diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index ae009c0..08b92ba 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -46,6 +46,25 @@ static BOOL client_verify_callback_called = FALSE;
static BOOL server_verify_callback_called = FALSE;
static const uschar *sid_ctx = US"exim";

+/* We have three different contexts to care about.
+
+Simple case: client, `client_ctx`
+ As a client, we can be doing a callout or cut-through delivery while receiving
+ a message.  So we have a client context, which should have options initialised
+ from the SMTP Transport.
+
+Server:
+ There are two cases: with and without ServerNameIndication from the client.
+ Given TLS SNI, we can be using different keys, certs and various other
+ configuration settings, because they're re-expanded with $tls_sni set.  This
+ allows vhosting with TLS.  This SNI is sent in the handshake.
+ A client might not send SNI, so we need a fallback, and an initial setup too.
+ So as a server, we start out using `server_ctx`.
+ If SNI is sent by the client, then we as server, mid-negotiation, try to clone
+ `server_sni` from `server_ctx` and then initialise settings by re-expanding
+ configuration.
+*/
+
 static SSL_CTX *client_ctx = NULL;
 static SSL_CTX *server_ctx = NULL;
 static SSL     *client_ssl = NULL;