mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-05 15:10:48 +02:00
Document SNI per-host policy gap in wolfSSL_set_SSL_CTX
wolfSSL_set_SSL_CTX is the OpenSSL-compatible entry point that an SNI callback uses to swap in the per-vhost certificate during the handshake. By design it only copies the certificate chain and private key from the new CTX. Verification settings, the trusted CA store, CRL/OCSP configuration, minimum key-size requirements, and cipher/version policy stay attached to the original CTX. For multi-tenant servers where each virtual host has its own security policy, that means one host's verification rules silently apply to a connection meant for another. Expand the leading comment with an explicit SECURITY WARNING that lists the settings which are NOT inherited and points at the WOLFSSL*-level setters callers must use inside the SNI callback when virtual hosts have different policies. The behavior of the function is unchanged. F-2902
This commit is contained in:
@@ -15871,6 +15871,12 @@ WOLFSSL_CTX* wolfSSL_set_SSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
|
||||
* - changing the server certificate(s)
|
||||
* - changing the server id for session handling
|
||||
* and everything else in WOLFSSL* needs to remain untouched.
|
||||
*
|
||||
* SECURITY: swapping ssl->ctx switches cm-resolved settings (CA store,
|
||||
* CRL, OCSP) to the new CTX but leaves ssl-cached ones (verify mode and
|
||||
* callback, minDowngrade, key-size minimums, suites, version bounds)
|
||||
* pinned to the original. SNI callbacks must re-apply those ssl-level
|
||||
* settings explicitly; CRL/OCSP isolation requires an SSL-local store.
|
||||
*/
|
||||
WOLFSSL_ENTER("wolfSSL_set_SSL_CTX");
|
||||
if (ssl == NULL || ctx == NULL)
|
||||
|
||||
Reference in New Issue
Block a user