Expose the downstream socket fd to the TLS certificate callback#915
Open
rzvncj wants to merge 1 commit into
Open
Expose the downstream socket fd to the TLS certificate callback#915rzvncj wants to merge 1 commit into
rzvncj wants to merge 1 commit into
Conversation
The async `certificate_callback` only receives `&mut SslRef`, with no handle to the underlying connection. Applications that select or forge a leaf per connection sometimes need connection-level context that is only reachable from the socket fd, which is unavailable at certificate-selection time. `handshake_with_callback` already holds the stream when it pauses the handshake to invoke the callback, so capture the stream's fd and stash it on the SSL via `ex_data` just before the call. Add `set_downstream_fd` / `get_downstream_fd` helpers to the ext module of both openssl-derived backends -- the shared `boringssl_openssl` server path compiles against either, so both must carry the helper. The fd is stored as the same platform-conditional type as pingora-core's `UniqueIDType` (`RawFd` on unix, socket handle on Windows), so the call site passes `io.id()` through with no cast or truncation. No public trait signatures change; the rustls and s2n backends are untouched.
rzvncj
force-pushed
the
add-support-for-early-fd-extraction
branch
from
02bd02a to
9371d2b
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The async
certificate_callbackonly receives&mut SslRef, with no handle to the underlying connection. Applications that select or forge a leaf per connection sometimes need connection-level context that is only reachable from the socket fd, which is unavailable at certificate-selection time.handshake_with_callbackalready holds the stream when it pauses the handshake to invoke the callback, so capture the stream's fd and stash it on the SSL viaex_datajust before the call. Addset_downstream_fd/get_downstream_fdhelpers to the ext module of both openssl-derived backends -- the sharedboringssl_opensslserver path compiles against either, so both must carry the helper. The fd is stored as the same platform-conditional type as pingora-core'sUniqueIDType(RawFdon unix, socket handle on Windows), so the call site passesio.id()through with no cast or truncation. No public trait signatures change; the rustls and s2n backends are untouched.