Document SNI per-host policy gap in wolfSSL_set_SSL_CTX

wolfSSL_set_SSL_CTX is the OpenSSL-compatible entry point that an
SNI callback uses to swap in the per-vhost certificate during the
handshake. By design it only copies the certificate chain and
private key from the new CTX. Verification settings, the trusted
CA store, CRL/OCSP configuration, minimum key-size requirements,
and cipher/version policy stay attached to the original CTX. For
multi-tenant servers where each virtual host has its own security
policy, that means one host's verification rules silently apply
to a connection meant for another.

Expand the leading comment with an explicit SECURITY WARNING
that lists the settings which are NOT inherited and points at the
WOLFSSL*-level setters callers must use inside the SNI callback
when virtual hosts have different policies. The behavior of the
function is unchanged.

F-2902
This commit is contained in:
Juliusz Sosinowicz
2026-04-30 22:38:50 +02:00
parent 3234f66cf3
commit ed4f4ce826
+6
View File
@@ -15871,6 +15871,12 @@ WOLFSSL_CTX* wolfSSL_set_SSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
* - changing the server certificate(s)
* - changing the server id for session handling
* and everything else in WOLFSSL* needs to remain untouched.
*
* SECURITY: swapping ssl->ctx switches cm-resolved settings (CA store,
* CRL, OCSP) to the new CTX but leaves ssl-cached ones (verify mode and
* callback, minDowngrade, key-size minimums, suites, version bounds)
* pinned to the original. SNI callbacks must re-apply those ssl-level
* settings explicitly; CRL/OCSP isolation requires an SSL-local store.
*/
WOLFSSL_ENTER("wolfSSL_set_SSL_CTX");
if (ssl == NULL || ctx == NULL)