You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@trafficserver.apache.org by Persia Aziz <pe...@yahoo.com.INVALID> on 2018/03/27 19:45:39 UTC
API proposal: TSReturnCode TSSslOCSPCallbackSet(TSSslContext ctx)
TSReturnCode TSSslOCSPCallbackSet(TSSslContext ctx)
TSSslOCSPCallbackSet sets the OCSP callback described in ATS
to the SSL context passed as an argument. This API is useful for contexts created externally via plugin
PR: https://github.com/apache/trafficserver/pull/3353/files
Syeda Persia Aziz
Software DeveloperYahoo! Inc.Champaign, Illinois
Re: API proposal: TSReturnCode TSSslOCSPCallbackSet(TSSslContext ctx)
Posted by Leif Hedstrom <zw...@apache.org>.
> On Mar 30, 2018, at 3:35 PM, Persia Aziz <pe...@yahoo.com> wrote:
>
> After debugging, I found that TSSslServerContextCreate does not configure the ssl context with the ocsp data. So I had to make another API, for the OCSP to work for contexts created by plugin. I will make a PR
>
> Following is the newly proposed API. I need to test this more.
Curious, can you explain why TSSslServerContextCreate() can’t be modified to also initialize the OCSP callback? I really, really dislike that there has to be two calls to properly initialize a new context. I much rather add additional parameters to the TSSslServerContextCreate() API if that’s the problem here.
— Leif
Re: API proposal: TSReturnCode TSSslOCSPCallbackSet(TSSslContext
ctx)
Posted by Persia Aziz <pe...@yahoo.com.INVALID>.
After debugging, I found that TSSslServerContextCreate does not configure the ssl context with the ocsp data. So I had to make another API, for the OCSP to work for contexts created by plugin. I will make a PR
Following is the newly proposed API. I need to test this more.
```tsapi TSReturnCode
TSSslInitOCSPStapling(TSSslContext ctx, X509 *cert, char* certname, char *servername)
{
auto sslCTX = reinterpret_cast<SSL_CTX *>(ctx);
if (SSL_CTX_set_tlsext_status_cb(sslCTX, ssl_callback_ocsp_stapling)) {
SSLConfigParams *params = SSLConfig::acquire();
SSLCertLookup *lookup = SSLCertificateConfig::acquire();
if ((!SSL_CTX_load_verify_locations(sslCTX, params->serverCACertFilename, params->serverCACertPath)) ||
(!SSL_CTX_set_default_verify_paths(sslCTX))) {
SSLError("invalid CA Certificate file or CA Certificate path");
}
if (!ssl_stapling_init_cert(sslCTX, cert, certname)) {
Warning("fail to configure SSL_CTX for OCSP Stapling info for certificate of %s", (const char *)certname);
}
else if (lookup != nullptr) {
lookup->insert(servername,SSLCertContext(sslCTX));
}
SSLCertificateConfig::release(lookup);
SSLConfig::release(params);
return TS_SUCCESS;
}
return TS_ERROR;
}```
Syeda Persia Aziz
Software DeveloperYahoo! (Oath).Champaign, Illinois
On Wednesday, March 28, 2018, 10:35:57 AM CDT, Leif Hedstrom <zw...@apache.org> wrote:
> On Mar 27, 2018, at 9:52 PM, Persia Aziz <pe...@yahoo.com> wrote:
>
>
> @Leif,
>
> Yes, this is for certificated loaded via plugin. I don't know of any such API to hand a new context to ATS. Again, looking at the code, the ocsp is enabled on a context only at the initialization phase. So any context created externally in a plugin does not get configured with the global ATS configuration.
This is way outside my area of expertise, but it seems we already have
tsapi TSSslContext TSSslServerContextCreate(void);
So why can’t we setup the OCSP default callback handler in that existing API? Having two APIs each doing part of the context “initialization” seems unnecessary. Heck, even if we needed to add new parameters to TSSslServerContextCreate() that would be fine, since we can break API / ABI compatibility in v8.0.
Cheers,
— Leif
Re: API proposal: TSReturnCode TSSslOCSPCallbackSet(TSSslContext ctx)
Posted by Leif Hedstrom <zw...@apache.org>.
> On Mar 27, 2018, at 9:52 PM, Persia Aziz <pe...@yahoo.com> wrote:
>
>
> @Leif,
>
> Yes, this is for certificated loaded via plugin. I don't know of any such API to hand a new context to ATS. Again, looking at the code, the ocsp is enabled on a context only at the initialization phase. So any context created externally in a plugin does not get configured with the global ATS configuration.
This is way outside my area of expertise, but it seems we already have
tsapi TSSslContext TSSslServerContextCreate(void);
So why can’t we setup the OCSP default callback handler in that existing API? Having two APIs each doing part of the context “initialization” seems unnecessary. Heck, even if we needed to add new parameters to TSSslServerContextCreate() that would be fine, since we can break API / ABI compatibility in v8.0.
Cheers,
— Leif
Re: API proposal: TSReturnCode TSSslOCSPCallbackSet(TSSslContext
ctx)
Posted by Persia Aziz <pe...@yahoo.com.INVALID>.
@Leif,
Yes, this is for certificated loaded via plugin. I don't know of any such API to hand a new context to ATS. Again, looking at the code, the ocsp is enabled on a context only at the initialization phase. So any context created externally in a plugin does not get configured with the global ATS configuration.
Syeda Persia Aziz
Software DeveloperYahoo! (Oath).Champaign, Illinois
On Tuesday, March 27, 2018, 5:43:10 PM CDT, Leif Hedstrom <zw...@apache.org> wrote:
> On Mar 27, 2018, at 4:36 PM, Alan Carroll <so...@oath.com.INVALID> wrote:
>
> Persia should correct me if I'm wrong, but my understanding is the default
> is no handling. The ATS core provides a default handler for OCSP and the
> point of this call is to set this context to use the ATS core default OCSP
> handler. That is how this makes OCSP easier for plugins - rather than
> writing a handler, the handling is delegated to the default handler in the
> ATS core. I'm open to better name suggestions, a name which conveys the
> concept "use the ATS core default OCSP handler for this context".
Ah so this is for certificates (contexts) loaded via a plugin, and not the normal ssl_multicert.config way? Curious: Are we not using some API to “add” the context into the ATS handling of certificates? If so, couldn’t this be done implicitly by that API / UI or whatever it is? I.e. if a plugin hands ATS a new context, ATS calls the appropriate OpenSSL code to enable the default handling, much like it does when we load certificates via ssl_multicert.config?
— leif
Re: API proposal: TSReturnCode TSSslOCSPCallbackSet(TSSslContext ctx)
Posted by Leif Hedstrom <zw...@apache.org>.
> On Mar 27, 2018, at 4:36 PM, Alan Carroll <so...@oath.com.INVALID> wrote:
>
> Persia should correct me if I'm wrong, but my understanding is the default
> is no handling. The ATS core provides a default handler for OCSP and the
> point of this call is to set this context to use the ATS core default OCSP
> handler. That is how this makes OCSP easier for plugins - rather than
> writing a handler, the handling is delegated to the default handler in the
> ATS core. I'm open to better name suggestions, a name which conveys the
> concept "use the ATS core default OCSP handler for this context".
Ah so this is for certificates (contexts) loaded via a plugin, and not the normal ssl_multicert.config way? Curious: Are we not using some API to “add” the context into the ATS handling of certificates? If so, couldn’t this be done implicitly by that API / UI or whatever it is? I.e. if a plugin hands ATS a new context, ATS calls the appropriate OpenSSL code to enable the default handling, much like it does when we load certificates via ssl_multicert.config?
— leif
Re: API proposal: TSReturnCode TSSslOCSPCallbackSet(TSSslContext ctx)
Posted by Alan Carroll <so...@oath.com.INVALID>.
Persia should correct me if I'm wrong, but my understanding is the default
is no handling. The ATS core provides a default handler for OCSP and the
point of this call is to set this context to use the ATS core default OCSP
handler. That is how this makes OCSP easier for plugins - rather than
writing a handler, the handling is delegated to the default handler in the
ATS core. I'm open to better name suggestions, a name which conveys the
concept "use the ATS core default OCSP handler for this context".
On Tue, Mar 27, 2018 at 5:31 PM, James Peach <jp...@apache.org> wrote:
>
>
> > On Mar 27, 2018, at 1:52 PM, Alan Carroll <so...@oath.com.INVALID>
> wrote:
> >
> > Chatting with Persia privately, I recommend changing the name to
> something
> > like `TSSslOCSPDefaultHandlingEnable`, which is what it really does
> > (enable, for that context, the default / core OCSP handling).
>
> I'm confused ... isn't the default what you start with if you do nothing?
>
> >
> > On Tue, Mar 27, 2018 at 3:23 PM, Persia Aziz
> <pe...@yahoo.com.invalid>
> > wrote:
> >
> >>
> >> @Kit,
> >> Sure. I will provide an example plugin.
> >> Syeda Persia Aziz
> >> Software DeveloperYahoo! Inc.Champaign, Illinois
> >>
> >> On Tuesday, March 27, 2018, 3:08:31 PM CDT, Shu Kit Chan <
> >> chanshukit@gmail.com> wrote:
> >>
> >> And it would be of great help if we can have a example plugin to
> >> illustrate hot this can be used.
> >>
> >> Thanks.
> >>
> >> Kit
> >>
> >> On Tue, Mar 27, 2018 at 1:06 PM, Alan Carroll
> >> <so...@oath.com.invalid> wrote:
> >>> I made some comments on the PR. I would recommend at a minimum having a
> >>> reference / link over to where the OCSP callback is described.
> >>>
> >>> On Tue, Mar 27, 2018 at 3:04 PM, Persia Aziz
> >> <pe...@yahoo.com.invalid>
> >>> wrote:
> >>>
> >>>> This API will be used for contexts created in the plugin. Since we
> >> already
> >>>> have the OCSP query,response and caching mechanism are already in ATS,
> >> the
> >>>> developer can choose to use this callback for OCSP stapling. Otherwise
> >> the
> >>>> whole OCSP part has to rewritten in the plugin. We have a use case
> where
> >>>> the plugin developer wants to use the ATS OCSP code without
> duplicating
> >>>> anything.
> >>>>
> >>>> Syeda Persia Aziz
> >>>> Software DeveloperYahoo! Inc.Champaign, Illinois
> >>>>
> >>>> On Tuesday, March 27, 2018, 2:57:12 PM CDT, James Peach <
> >>>> jpeach@apache.org> wrote:
> >>>>
> >>>>
> >>>>
> >>>>> On Mar 27, 2018, at 12:45 PM, Persia Aziz
> >> <pe...@yahoo.com.INVALID>
> >>>> wrote:
> >>>>>
> >>>>> TSReturnCode TSSslOCSPCallbackSet(TSSslContext ctx)
> >>>>> TSSslOCSPCallbackSet sets the OCSP callback described in ATS
> >>>>
> >>>> What does "sets the OCSP callback described in ATS" mean? If I'm
> >> writing a
> >>>> plugin why would I call this API?
> >>>>
> >>>>> to the SSL context passed as an argument. This API is useful for
> >>>> contexts created externally via plugin
> >>>>>
> >>>>> PR: https://github.com/apache/trafficserver/pull/3353/files
> >>>>
> >>>> Looking at the PR, this enables OCSP stapling? Could you please
> explain
> >>>> the motivating problem and rationale, and document the semantics of
> the
> >>>> proposed API?
> >>>>
> >>>> J
> >>>>
> >>
> >>
>
>
Re: API proposal: TSReturnCode TSSslOCSPCallbackSet(TSSslContext ctx)
Posted by James Peach <jp...@apache.org>.
> On Mar 27, 2018, at 1:52 PM, Alan Carroll <so...@oath.com.INVALID> wrote:
>
> Chatting with Persia privately, I recommend changing the name to something
> like `TSSslOCSPDefaultHandlingEnable`, which is what it really does
> (enable, for that context, the default / core OCSP handling).
I'm confused ... isn't the default what you start with if you do nothing?
>
> On Tue, Mar 27, 2018 at 3:23 PM, Persia Aziz <pe...@yahoo.com.invalid>
> wrote:
>
>>
>> @Kit,
>> Sure. I will provide an example plugin.
>> Syeda Persia Aziz
>> Software DeveloperYahoo! Inc.Champaign, Illinois
>>
>> On Tuesday, March 27, 2018, 3:08:31 PM CDT, Shu Kit Chan <
>> chanshukit@gmail.com> wrote:
>>
>> And it would be of great help if we can have a example plugin to
>> illustrate hot this can be used.
>>
>> Thanks.
>>
>> Kit
>>
>> On Tue, Mar 27, 2018 at 1:06 PM, Alan Carroll
>> <so...@oath.com.invalid> wrote:
>>> I made some comments on the PR. I would recommend at a minimum having a
>>> reference / link over to where the OCSP callback is described.
>>>
>>> On Tue, Mar 27, 2018 at 3:04 PM, Persia Aziz
>> <pe...@yahoo.com.invalid>
>>> wrote:
>>>
>>>> This API will be used for contexts created in the plugin. Since we
>> already
>>>> have the OCSP query,response and caching mechanism are already in ATS,
>> the
>>>> developer can choose to use this callback for OCSP stapling. Otherwise
>> the
>>>> whole OCSP part has to rewritten in the plugin. We have a use case where
>>>> the plugin developer wants to use the ATS OCSP code without duplicating
>>>> anything.
>>>>
>>>> Syeda Persia Aziz
>>>> Software DeveloperYahoo! Inc.Champaign, Illinois
>>>>
>>>> On Tuesday, March 27, 2018, 2:57:12 PM CDT, James Peach <
>>>> jpeach@apache.org> wrote:
>>>>
>>>>
>>>>
>>>>> On Mar 27, 2018, at 12:45 PM, Persia Aziz
>> <pe...@yahoo.com.INVALID>
>>>> wrote:
>>>>>
>>>>> TSReturnCode TSSslOCSPCallbackSet(TSSslContext ctx)
>>>>> TSSslOCSPCallbackSet sets the OCSP callback described in ATS
>>>>
>>>> What does "sets the OCSP callback described in ATS" mean? If I'm
>> writing a
>>>> plugin why would I call this API?
>>>>
>>>>> to the SSL context passed as an argument. This API is useful for
>>>> contexts created externally via plugin
>>>>>
>>>>> PR: https://github.com/apache/trafficserver/pull/3353/files
>>>>
>>>> Looking at the PR, this enables OCSP stapling? Could you please explain
>>>> the motivating problem and rationale, and document the semantics of the
>>>> proposed API?
>>>>
>>>> J
>>>>
>>
>>
Re: API proposal: TSReturnCode TSSslOCSPCallbackSet(TSSslContext ctx)
Posted by Alan Carroll <so...@oath.com.INVALID>.
Chatting with Persia privately, I recommend changing the name to something
like `TSSslOCSPDefaultHandlingEnable`, which is what it really does
(enable, for that context, the default / core OCSP handling).
On Tue, Mar 27, 2018 at 3:23 PM, Persia Aziz <pe...@yahoo.com.invalid>
wrote:
>
> @Kit,
> Sure. I will provide an example plugin.
> Syeda Persia Aziz
> Software DeveloperYahoo! Inc.Champaign, Illinois
>
> On Tuesday, March 27, 2018, 3:08:31 PM CDT, Shu Kit Chan <
> chanshukit@gmail.com> wrote:
>
> And it would be of great help if we can have a example plugin to
> illustrate hot this can be used.
>
> Thanks.
>
> Kit
>
> On Tue, Mar 27, 2018 at 1:06 PM, Alan Carroll
> <so...@oath.com.invalid> wrote:
> > I made some comments on the PR. I would recommend at a minimum having a
> > reference / link over to where the OCSP callback is described.
> >
> > On Tue, Mar 27, 2018 at 3:04 PM, Persia Aziz
> <pe...@yahoo.com.invalid>
> > wrote:
> >
> >> This API will be used for contexts created in the plugin. Since we
> already
> >> have the OCSP query,response and caching mechanism are already in ATS,
> the
> >> developer can choose to use this callback for OCSP stapling. Otherwise
> the
> >> whole OCSP part has to rewritten in the plugin. We have a use case where
> >> the plugin developer wants to use the ATS OCSP code without duplicating
> >> anything.
> >>
> >> Syeda Persia Aziz
> >> Software DeveloperYahoo! Inc.Champaign, Illinois
> >>
> >> On Tuesday, March 27, 2018, 2:57:12 PM CDT, James Peach <
> >> jpeach@apache.org> wrote:
> >>
> >>
> >>
> >> > On Mar 27, 2018, at 12:45 PM, Persia Aziz
> <pe...@yahoo.com.INVALID>
> >> wrote:
> >> >
> >> > TSReturnCode TSSslOCSPCallbackSet(TSSslContext ctx)
> >> > TSSslOCSPCallbackSet sets the OCSP callback described in ATS
> >>
> >> What does "sets the OCSP callback described in ATS" mean? If I'm
> writing a
> >> plugin why would I call this API?
> >>
> >> > to the SSL context passed as an argument. This API is useful for
> >> contexts created externally via plugin
> >> >
> >> > PR: https://github.com/apache/trafficserver/pull/3353/files
> >>
> >> Looking at the PR, this enables OCSP stapling? Could you please explain
> >> the motivating problem and rationale, and document the semantics of the
> >> proposed API?
> >>
> >> J
> >>
>
>
Re: API proposal: TSReturnCode TSSslOCSPCallbackSet(TSSslContext
ctx)
Posted by Persia Aziz <pe...@yahoo.com.INVALID>.
@Kit,
Sure. I will provide an example plugin.
Syeda Persia Aziz
Software DeveloperYahoo! Inc.Champaign, Illinois
On Tuesday, March 27, 2018, 3:08:31 PM CDT, Shu Kit Chan <ch...@gmail.com> wrote:
And it would be of great help if we can have a example plugin to
illustrate hot this can be used.
Thanks.
Kit
On Tue, Mar 27, 2018 at 1:06 PM, Alan Carroll
<so...@oath.com.invalid> wrote:
> I made some comments on the PR. I would recommend at a minimum having a
> reference / link over to where the OCSP callback is described.
>
> On Tue, Mar 27, 2018 at 3:04 PM, Persia Aziz <pe...@yahoo.com.invalid>
> wrote:
>
>> This API will be used for contexts created in the plugin. Since we already
>> have the OCSP query,response and caching mechanism are already in ATS, the
>> developer can choose to use this callback for OCSP stapling. Otherwise the
>> whole OCSP part has to rewritten in the plugin. We have a use case where
>> the plugin developer wants to use the ATS OCSP code without duplicating
>> anything.
>>
>> Syeda Persia Aziz
>> Software DeveloperYahoo! Inc.Champaign, Illinois
>>
>> On Tuesday, March 27, 2018, 2:57:12 PM CDT, James Peach <
>> jpeach@apache.org> wrote:
>>
>>
>>
>> > On Mar 27, 2018, at 12:45 PM, Persia Aziz <pe...@yahoo.com.INVALID>
>> wrote:
>> >
>> > TSReturnCode TSSslOCSPCallbackSet(TSSslContext ctx)
>> > TSSslOCSPCallbackSet sets the OCSP callback described in ATS
>>
>> What does "sets the OCSP callback described in ATS" mean? If I'm writing a
>> plugin why would I call this API?
>>
>> > to the SSL context passed as an argument. This API is useful for
>> contexts created externally via plugin
>> >
>> > PR: https://github.com/apache/trafficserver/pull/3353/files
>>
>> Looking at the PR, this enables OCSP stapling? Could you please explain
>> the motivating problem and rationale, and document the semantics of the
>> proposed API?
>>
>> J
>>
Re: API proposal: TSReturnCode TSSslOCSPCallbackSet(TSSslContext ctx)
Posted by Shu Kit Chan <ch...@gmail.com>.
And it would be of great help if we can have a example plugin to
illustrate hot this can be used.
Thanks.
Kit
On Tue, Mar 27, 2018 at 1:06 PM, Alan Carroll
<so...@oath.com.invalid> wrote:
> I made some comments on the PR. I would recommend at a minimum having a
> reference / link over to where the OCSP callback is described.
>
> On Tue, Mar 27, 2018 at 3:04 PM, Persia Aziz <pe...@yahoo.com.invalid>
> wrote:
>
>> This API will be used for contexts created in the plugin. Since we already
>> have the OCSP query,response and caching mechanism are already in ATS, the
>> developer can choose to use this callback for OCSP stapling. Otherwise the
>> whole OCSP part has to rewritten in the plugin. We have a use case where
>> the plugin developer wants to use the ATS OCSP code without duplicating
>> anything.
>>
>> Syeda Persia Aziz
>> Software DeveloperYahoo! Inc.Champaign, Illinois
>>
>> On Tuesday, March 27, 2018, 2:57:12 PM CDT, James Peach <
>> jpeach@apache.org> wrote:
>>
>>
>>
>> > On Mar 27, 2018, at 12:45 PM, Persia Aziz <pe...@yahoo.com.INVALID>
>> wrote:
>> >
>> > TSReturnCode TSSslOCSPCallbackSet(TSSslContext ctx)
>> > TSSslOCSPCallbackSet sets the OCSP callback described in ATS
>>
>> What does "sets the OCSP callback described in ATS" mean? If I'm writing a
>> plugin why would I call this API?
>>
>> > to the SSL context passed as an argument. This API is useful for
>> contexts created externally via plugin
>> >
>> > PR: https://github.com/apache/trafficserver/pull/3353/files
>>
>> Looking at the PR, this enables OCSP stapling? Could you please explain
>> the motivating problem and rationale, and document the semantics of the
>> proposed API?
>>
>> J
>>
Re: API proposal: TSReturnCode TSSslOCSPCallbackSet(TSSslContext ctx)
Posted by Alan Carroll <so...@oath.com.INVALID>.
I made some comments on the PR. I would recommend at a minimum having a
reference / link over to where the OCSP callback is described.
On Tue, Mar 27, 2018 at 3:04 PM, Persia Aziz <pe...@yahoo.com.invalid>
wrote:
> This API will be used for contexts created in the plugin. Since we already
> have the OCSP query,response and caching mechanism are already in ATS, the
> developer can choose to use this callback for OCSP stapling. Otherwise the
> whole OCSP part has to rewritten in the plugin. We have a use case where
> the plugin developer wants to use the ATS OCSP code without duplicating
> anything.
>
> Syeda Persia Aziz
> Software DeveloperYahoo! Inc.Champaign, Illinois
>
> On Tuesday, March 27, 2018, 2:57:12 PM CDT, James Peach <
> jpeach@apache.org> wrote:
>
>
>
> > On Mar 27, 2018, at 12:45 PM, Persia Aziz <pe...@yahoo.com.INVALID>
> wrote:
> >
> > TSReturnCode TSSslOCSPCallbackSet(TSSslContext ctx)
> > TSSslOCSPCallbackSet sets the OCSP callback described in ATS
>
> What does "sets the OCSP callback described in ATS" mean? If I'm writing a
> plugin why would I call this API?
>
> > to the SSL context passed as an argument. This API is useful for
> contexts created externally via plugin
> >
> > PR: https://github.com/apache/trafficserver/pull/3353/files
>
> Looking at the PR, this enables OCSP stapling? Could you please explain
> the motivating problem and rationale, and document the semantics of the
> proposed API?
>
> J
>
Re: API proposal: TSReturnCode TSSslOCSPCallbackSet(TSSslContext
ctx)
Posted by Persia Aziz <pe...@yahoo.com.INVALID>.
This API will be used for contexts created in the plugin. Since we already have the OCSP query,response and caching mechanism are already in ATS, the developer can choose to use this callback for OCSP stapling. Otherwise the whole OCSP part has to rewritten in the plugin. We have a use case where the plugin developer wants to use the ATS OCSP code without duplicating anything.
Syeda Persia Aziz
Software DeveloperYahoo! Inc.Champaign, Illinois
On Tuesday, March 27, 2018, 2:57:12 PM CDT, James Peach <jp...@apache.org> wrote:
> On Mar 27, 2018, at 12:45 PM, Persia Aziz <pe...@yahoo.com.INVALID> wrote:
>
> TSReturnCode TSSslOCSPCallbackSet(TSSslContext ctx)
> TSSslOCSPCallbackSet sets the OCSP callback described in ATS
What does "sets the OCSP callback described in ATS" mean? If I'm writing a plugin why would I call this API?
> to the SSL context passed as an argument. This API is useful for contexts created externally via plugin
>
> PR: https://github.com/apache/trafficserver/pull/3353/files
Looking at the PR, this enables OCSP stapling? Could you please explain the motivating problem and rationale, and document the semantics of the proposed API?
J
Re: API proposal: TSReturnCode TSSslOCSPCallbackSet(TSSslContext ctx)
Posted by James Peach <jp...@apache.org>.
> On Mar 27, 2018, at 12:45 PM, Persia Aziz <pe...@yahoo.com.INVALID> wrote:
>
> TSReturnCode TSSslOCSPCallbackSet(TSSslContext ctx)
> TSSslOCSPCallbackSet sets the OCSP callback described in ATS
What does "sets the OCSP callback described in ATS" mean? If I'm writing a plugin why would I call this API?
> to the SSL context passed as an argument. This API is useful for contexts created externally via plugin
>
> PR: https://github.com/apache/trafficserver/pull/3353/files
Looking at the PR, this enables OCSP stapling? Could you please explain the motivating problem and rationale, and document the semantics of the proposed API?
J