MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.

commit: 0594211987351eaf521577b798a3a461b043710c [log] [tgz]
author: Emmanuel Hocdet <manu@gandi.net> Mon Feb 20 16:11:50 2017 +0100
committer: Willy Tarreau <w@1wt.eu> Thu Mar 02 18:31:05 2017 +0100
tree: 86bdaf89329ce7e93d644a26561a3ef58c83fece
parent: 19b1412e021451d4c7ac39750b556efaaf8639bf [diff] [blame]
diff --git a/include/types/ssl_sock.h b/include/types/ssl_sock.h
index a384f05..e3a85ca 100644
--- a/include/types/ssl_sock.h
+++ b/include/types/ssl_sock.h

@@ -29,7 +29,8 @@
 struct sni_ctx {
 	SSL_CTX *ctx;             /* context associated to the certificate */
 	int order;                /* load order for the certificate */
-	int neg;                  /* reject if match */
+	uint8_t neg;              /* reject if match */
+	uint8_t key_sig;          /* TLSEXT_signature_[rsa,ecdsa,...] */
 	struct ssl_bind_conf *conf; /* ssl "bind" conf for the certificate */
 	struct ebmb_node name;    /* node holding the servername value */
 };
commit	0594211987351eaf521577b798a3a461b043710c	[log] [tgz]
author	Emmanuel Hocdet <manu@gandi.net>	Mon Feb 20 16:11:50 2017 +0100
committer	Willy Tarreau <w@1wt.eu>	Thu Mar 02 18:31:05 2017 +0100
tree	86bdaf89329ce7e93d644a26561a3ef58c83fece
parent	19b1412e021451d4c7ac39750b556efaaf8639bf [diff] [blame]