On 29/04/2015 13:38, ma...@apache.org wrote: > Author: markt > Date: Wed Apr 29 12:38:40 2015 > New Revision: 1676733 > > URL: http://svn.apache.org/r1676733 > Log: > Remove some ALPN debug code. Add an SNI callback (dummy implementation only > so far)
My plan for SNI with APR/native isn't particularly elegant but I do think it is achievable given the generally poor state of my C coding skills. The outline is: - jni.SSLContext will maintain a map of default SSLContext to all SNI SSLContexts. It is a map since there maybe more than one APR/native connector and each AprEndpoint has its own default SSLContext - AprEndpoint will register the default SSLContext and the SNI SSLContexts with jni.SSLContext (and deregister) - The callback will pass the current SSLContext and the SNI host name to jni.SSLContext which will lookup the correct SSLContext in the map and change the current SSLContext if necessary This does mean that in the worst case there will be a java->native->java->native call chain. I'm sure it is possible to move the map and associated hostname lookup code to the native library but I'm not at all confident that my C coding is up to that. On the plus side, changing the mapping algorithm is something that will only require changes on the Java side. I plan to implement the above in stages, committing as and when it makes sense to do so. Mark > > Modified: > tomcat/native/trunk/native/include/ssl_private.h > tomcat/native/trunk/native/src/sslcontext.c > > Modified: tomcat/native/trunk/native/include/ssl_private.h > URL: > http://svn.apache.org/viewvc/tomcat/native/trunk/native/include/ssl_private.h?rev=1676733&r1=1676732&r2=1676733&view=diff > ============================================================================== > --- tomcat/native/trunk/native/include/ssl_private.h (original) > +++ tomcat/native/trunk/native/include/ssl_private.h Wed Apr 29 12:38:40 2015 > @@ -259,8 +259,12 @@ struct tcn_ssl_ctxt_t { > /* for client: List of protocols to request via ALPN. > * for server: List of protocols to accept via ALPN. > */ > - char *alpn; > - int alpnlen; > + char *alpn; > + int alpnlen; > + > + /* References to Java SSLContext class used by SNI callbacks */ > + JNIEnv *jnienv; > + jobject java_object; > }; > > > > Modified: tomcat/native/trunk/native/src/sslcontext.c > URL: > http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslcontext.c?rev=1676733&r1=1676732&r2=1676733&view=diff > ============================================================================== > --- tomcat/native/trunk/native/src/sslcontext.c (original) > +++ tomcat/native/trunk/native/src/sslcontext.c Wed Apr 29 12:38:40 2015 > @@ -62,6 +62,15 @@ static apr_status_t ssl_context_cleanup( > return APR_SUCCESS; > } > > +/* Callback used when OpenSSL receives a client hello with a Server Name > + * Indication extension. > + */ > +int ssl_callback_ServerNameIndication(SSL *ssl, int *al, tcn_ssl_ctxt_t *c) > +{ > + printf("SNI callback received"); > + return SSL_TLSEXT_ERR_OK; > +} > + > /* Initialize server context */ > TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS, jlong pool, > jint protocol, jint mode) > @@ -69,7 +78,6 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma > apr_pool_t *p = J2P(pool, apr_pool_t *); > tcn_ssl_ctxt_t *c = NULL; > SSL_CTX *ctx = NULL; > - UNREFERENCED(o); > > if (protocol == SSL_PROTOCOL_TLSV1_2) { > #ifdef SSL_OP_NO_TLSv1_2 > @@ -197,6 +205,13 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma > SSL_CTX_set_default_passwd_cb(c->ctx, (pem_password_cb > *)SSL_password_callback); > SSL_CTX_set_default_passwd_cb_userdata(c->ctx, (void > *)(&tcn_password_callback)); > SSL_CTX_set_info_callback(c->ctx, SSL_callback_handshake); > + > + /* Set Server Name Indication (SNI) callback */ > + c->jnienv = e; > + c->java_object = o; > + SSL_CTX_set_tlsext_servername_callback(c->ctx, > ssl_callback_ServerNameIndication); > + SSL_CTX_set_tlsext_servername_arg(c->ctx, c); > + > /* > * Let us cleanup the ssl context when the pool is destroyed > */ > @@ -684,8 +699,6 @@ int cb_server_alpn(SSL *ssl, > int i; > unsigned short splen; > > - printf("inlen [%d]\n", inlen); > - > if (inlen == 0) { > // Client specified an empty protocol list. Nothing to negotiate. > return SSL_TLSEXT_ERR_ALERT_FATAL; > @@ -713,8 +726,6 @@ int cb_server_alpn(SSL *ssl, > return SSL_TLSEXT_ERR_ALERT_FATAL; > } > > - printf("A\n"); > - > proposed_protos = apr_array_make(con->pool, 0, sizeof(char *)); > for (i = 0; i < tcsslctx->alpnlen; /**/) { > unsigned int plen = tcsslctx->alpn[i++]; > @@ -727,8 +738,6 @@ int cb_server_alpn(SSL *ssl, > i += plen; > } > > - printf("E\n"); > - > if (proposed_protos->nelts <= 0) { > // Should never happen. The server did not specify any protocols. > return SSL_TLSEXT_ERR_ALERT_FATAL; > @@ -744,8 +753,6 @@ int cb_server_alpn(SSL *ssl, > } > } > > - printf("F\n"); > - > size_t len = strlen((const char*)*out); > if (len > 255) { > // Agreed protocol name too long > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
