Add framework for switching certs based on signature_algorithms TLS extension.
Summary: Added support for switching SSLContexts based on the signature_algorithms
extension.
This diff does not currently include any logic for determining which certs use
SHA1 or not.
Some thoughts:
- This is a little scary since it defaults to SHA1 (assuming the client can't support
SHA256 if we don't see SHA256 specifically in the hello extension). We need to
be 100% sure that all clients that are going to reject SHA1 are sending this,
and that we identify it correctly.
- We should add logging to see when we think a client needs SHA1, when we
actually give SHA1, etc. I'm not sure what the best way to do this is with our
logging infrastructure.
- This is not setup to serve any SHA1 certs to SHA256 supporting clients.
Reviewed By: @siyengar
Differential Revision:
D2408773
fb-gh-sync-id:
48ad9cdfaae25e144c0964b9bfb1c342b137ffca