From ed4f4ce8260709ced750a6bcff95d51b9bc8bed4 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Thu, 30 Apr 2026 22:38:50 +0200 Subject: [PATCH] Document SNI per-host policy gap in wolfSSL_set_SSL_CTX wolfSSL_set_SSL_CTX is the OpenSSL-compatible entry point that an SNI callback uses to swap in the per-vhost certificate during the handshake. By design it only copies the certificate chain and private key from the new CTX. Verification settings, the trusted CA store, CRL/OCSP configuration, minimum key-size requirements, and cipher/version policy stay attached to the original CTX. For multi-tenant servers where each virtual host has its own security policy, that means one host's verification rules silently apply to a connection meant for another. Expand the leading comment with an explicit SECURITY WARNING that lists the settings which are NOT inherited and points at the WOLFSSL*-level setters callers must use inside the SNI callback when virtual hosts have different policies. The behavior of the function is unchanged. F-2902 --- src/ssl.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/ssl.c b/src/ssl.c index 9b694806e1..a54c0782d6 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -15871,6 +15871,12 @@ WOLFSSL_CTX* wolfSSL_set_SSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx) * - changing the server certificate(s) * - changing the server id for session handling * and everything else in WOLFSSL* needs to remain untouched. + * + * SECURITY: swapping ssl->ctx switches cm-resolved settings (CA store, + * CRL, OCSP) to the new CTX but leaves ssl-cached ones (verify mode and + * callback, minDowngrade, key-size minimums, suites, version bounds) + * pinned to the original. SNI callbacks must re-apply those ssl-level + * settings explicitly; CRL/OCSP isolation requires an SSL-local store. */ WOLFSSL_ENTER("wolfSSL_set_SSL_CTX"); if (ssl == NULL || ctx == NULL)