tls: use `SSL_set_cert_cb` for async SNI/OCSP

Do not enable ClientHello parser for async SNI/OCSP. Use new
OpenSSL-1.0.2's API `SSL_set_cert_cb` to pause the handshake process and
load the cert/OCSP response asynchronously. Hopefuly this will make
whole async SNI/OCSP process much faster and will eventually let us
remove the ClientHello parser itself (which is currently used only for
async session, see #1462 for the discussion of removing it).

NOTE: Ported our code to `SSL_CTX_add1_chain_cert` to use
`SSL_CTX_get0_chain_certs` in `CertCbDone`. Test provided for this
feature.

Fix: https://github.com/iojs/io.js/issues/1423
PR-URL: https://github.com/iojs/io.js/pull/1464
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>

2 files changed, 18 insertions, 13 deletions

diff --git a/test/parallel/test-tls-peer-certificate.js b/test/parallel/test-tls-peer-certificate.js
index a1a19d7035..afd88531ea 100644
--- a/test/parallel/test-tls-peer-certificate.js
+++ b/test/parallel/test-tls-peer-certificate.js
@@ -36,13 +36,13 @@ server.listen(common.PORT, function() {
 
     common.debug(util.inspect(peerCert));
     assert.equal(peerCert.subject.emailAddress, 'ry@tinyclouds.org');
-    assert.equal(peerCert.serialNumber, '9A84ABCFB8A72ABE');
+    assert.equal(peerCert.serialNumber, '9A84ABCFB8A72AC0');
     assert.deepEqual(peerCert.infoAccess['OCSP - URI'],
                      [ 'http://ocsp.nodejs.org/' ]);
 
     var issuer = peerCert.issuerCertificate;
     assert.ok(issuer.issuerCertificate === issuer);
-    assert.equal(issuer.serialNumber, 'B5090C899FC2FF93');
+    assert.equal(issuer.serialNumber, '8DF21C01468AF393');
     verified = true;
     server.close();
   });
diff --git a/test/parallel/test-tls-sni-server-client.js b/test/parallel/test-tls-sni-server-client.js
index 7a1d09b9c2..a1d867233b 100644
--- a/test/parallel/test-tls-sni-server-client.js
+++ b/test/parallel/test-tls-sni-server-client.js
@@ -35,6 +35,11 @@ var SNIContexts = {
   'asterisk.test.com': {
     key: loadPEM('agent3-key'),
     cert: loadPEM('agent3-cert')
+  },
+  'chain.example.com': {
+    key: loadPEM('agent6-key'),
+    // NOTE: Contains ca3 chain cert
+    cert: loadPEM('agent6-cert')
   }
 };
 
@@ -42,32 +47,29 @@ var serverPort = common.PORT;
 
 var clientsOptions = [{
   port: serverPort,
-  key: loadPEM('agent1-key'),
-  cert: loadPEM('agent1-cert'),
   ca: [loadPEM('ca1-cert')],
   servername: 'a.example.com',
   rejectUnauthorized: false
 }, {
   port: serverPort,
-  key: loadPEM('agent2-key'),
-  cert: loadPEM('agent2-cert'),
   ca: [loadPEM('ca2-cert')],
   servername: 'b.test.com',
   rejectUnauthorized: false
 }, {
   port: serverPort,
-  key: loadPEM('agent2-key'),
-  cert: loadPEM('agent2-cert'),
   ca: [loadPEM('ca2-cert')],
   servername: 'a.b.test.com',
   rejectUnauthorized: false
 }, {
   port: serverPort,
-  key: loadPEM('agent3-key'),
-  cert: loadPEM('agent3-cert'),
   ca: [loadPEM('ca1-cert')],
   servername: 'c.wrong.com',
   rejectUnauthorized: false
+}, {
+  port: serverPort,
+  ca: [loadPEM('ca1-cert')],
+  servername: 'chain.example.com',
+  rejectUnauthorized: false
 }];
 
 var serverResults = [],
@@ -79,6 +81,7 @@ var server = tls.createServer(serverOptions, function(c) {
 
 server.addContext('a.example.com', SNIContexts['a.example.com']);
 server.addContext('*.test.com', SNIContexts['asterisk.test.com']);
+server.addContext('chain.example.com', SNIContexts['chain.example.com']);
 
 server.listen(serverPort, startTest);
 
@@ -105,7 +108,9 @@ function startTest() {
 }
 
 process.on('exit', function() {
-  assert.deepEqual(serverResults, ['a.example.com', 'b.test.com',
-                                   'a.b.test.com', 'c.wrong.com']);
-  assert.deepEqual(clientResults, [true, true, false, false]);
+  assert.deepEqual(serverResults, [
+    'a.example.com', 'b.test.com', 'a.b.test.com', 'c.wrong.com',
+    'chain.example.com'
+  ]);
+  assert.deepEqual(clientResults, [true, true, false, false, true]);
 });