SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK(3SSL) | OpenSSL | SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK(3SSL) |
SSL_CTX_set_tlsext_servername_callback, SSL_CTX_set_tlsext_servername_arg, SSL_get_servername_type, SSL_get_servername, SSL_set_tlsext_host_name - handle server name indication (SNI)
#include <openssl/ssl.h> long SSL_CTX_set_tlsext_servername_callback(SSL_CTX *ctx, int (*cb)(SSL *s, int *al, void *arg)); long SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg); const char *SSL_get_servername(const SSL *s, const int type); int SSL_get_servername_type(const SSL *s); int SSL_set_tlsext_host_name(const SSL *s, const char *name);
The functionality provided by the servername callback is mostly superseded by the ClientHello callback, which can be set using SSL_CTX_set_client_hello_cb(). However, even where the ClientHello callback is used, the servername callback is still necessary in order to acknowledge the servername requested by the client.
SSL_CTX_set_tlsext_servername_callback() sets the application callback cb used by a server to perform any actions or configuration required based on the servername extension received in the incoming connection. When cb is NULL, SNI is not used.
The servername callback should return one of the following values:
SSL_CTX_set_tlsext_servername_arg() sets a context-specific argument to be passed into the callback (via the arg parameter) for this SSL_CTX.
The behaviour of SSL_get_servername() depends on a number of different factors. In particular note that in TLSv1.3 the servername is negotiated in every handshake. In TLSv1.2 the servername is only negotiated on initial handshakes and not on resumption handshakes.
If one has not been set, but a TLSv1.2 resumption is being attempted and the session from the original handshake had a servername accepted by the server then it will return that servername.
Otherwise it returns NULL.
Otherwise it returns the servername set via SSL_set_tlsext_host_name() or NULL if it was not called.
Note that the ClientHello callback occurs before a servername extension from the client is processed. The servername, certificate and ALPN callbacks occur after a servername extension from the client is processed.
SSL_get_servername_type() returns the servername type or -1 if no servername is present. Currently the only supported type (defined in RFC3546) is TLSEXT_NAMETYPE_host_name.
SSL_set_tlsext_host_name() sets the server name indication ClientHello extension to contain the value name. The type of server name indication extension is set to TLSEXT_NAMETYPE_host_name (defined in RFC3546).
Several callbacks are executed during ClientHello processing, including the ClientHello, ALPN, and servername callbacks. The ClientHello callback is executed first, then the servername callback, followed by the ALPN callback.
The SSL_set_tlsext_host_name() function should only be called on SSL objects that will act as clients; otherwise the configured name will be ignored.
SSL_CTX_set_tlsext_servername_callback() and SSL_CTX_set_tlsext_servername_arg() both always return 1 indicating success. SSL_set_tlsext_host_name() returns 1 on success, 0 in case of error.
ssl(7), SSL_CTX_set_alpn_select_cb(3), SSL_get0_alpn_selected(3), SSL_CTX_set_client_hello_cb(3)
SSL_get_servername() historically provided some unexpected results in certain corner cases. This has been fixed from OpenSSL 1.1.1e.
Prior to 1.1.1e, when the client requested a servername in an initial TLSv1.2 handshake, the server accepted it, and then the client successfully resumed but set a different explicit servername in the second handshake then when called by the client it returned the servername from the second handshake. This has now been changed to return the servername requested in the original handshake.
Also prior to 1.1.1e, if the client sent a servername in the first handshake but the server did not accept it, and then a second handshake occurred where TLSv1.2 resumption was successful then when called by the server it returned the servername requested in the original handshake. This has now been changed to NULL.
Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <https://www.openssl.org/source/license.html>.
2022-06-24 | 1.1.1n |