Internal change PiperOrigin-RevId: 512662869

diff --git a/quiche/quic/core/crypto/proof_source.cc b/quiche/quic/core/crypto/proof_source.cc
index 95fb446..b340bc5 100644
--- a/quiche/quic/core/crypto/proof_source.cc
+++ b/quiche/quic/core/crypto/proof_source.cc

@@ -56,4 +56,6 @@
   return true;
 }
 
+void ProofSource::OnNewSslCtx(SSL_CTX*) {}
+
 }  // namespace quic

diff --git a/quiche/quic/core/crypto/proof_source.h b/quiche/quic/core/crypto/proof_source.h
index ac34ebb..7721554 100644
--- a/quiche/quic/core/crypto/proof_source.h
+++ b/quiche/quic/core/crypto/proof_source.h

@@ -118,6 +118,13 @@
 
   virtual ~ProofSource() {}
 
+  // OnNewSslCtx changes SSL parameters if required by ProofSource
+  // implementation. It is called when new SSL_CTX is created for a listener.
+  // Default implementation does nothing.
+  //
+  // This function may be called concurrently.
+  virtual void OnNewSslCtx(SSL_CTX* ssl_ctx);
+
   // GetProof finds a certificate chain for |hostname| (in leaf-first order),
   // and calculates a signature of |server_config| using that chain.
   //

diff --git a/quiche/quic/core/crypto/tls_server_connection.cc b/quiche/quic/core/crypto/tls_server_connection.cc
index ed7e5b2..51311bc 100644
--- a/quiche/quic/core/crypto/tls_server_connection.cc
+++ b/quiche/quic/core/crypto/tls_server_connection.cc

@@ -52,6 +52,10 @@
   SSL_CTX_set_select_certificate_cb(
       ssl_ctx.get(), &TlsServerConnection::EarlySelectCertCallback);
   SSL_CTX_set_options(ssl_ctx.get(), SSL_OP_CIPHER_SERVER_PREFERENCE);
+
+  // Allow ProofSource to change SSL_CTX settings.
+  proof_source->OnNewSslCtx(ssl_ctx.get());
+
   return ssl_ctx;
 }