table of contents
SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK(3) | Library Functions Manual | SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK(3) |
NAME¶
SSL_CTX_set_tlsext_servername_callback
,
SSL_CTX_set_tlsext_servername_arg
,
SSL_get_servername_type
,
SSL_get_servername
,
SSL_set_tlsext_host_name
—
handle server name indication (SNI)
SYNOPSIS¶
#include
<openssl/ssl.h>
long
SSL_CTX_set_tlsext_servername_callback
(SSL_CTX
*ctx, int (*cb)(SSL *ssl, int *alert, void
*arg));
long
SSL_CTX_set_tlsext_servername_arg
(SSL_CTX
*ctx, void *arg);
const char *
SSL_get_servername
(const SSL
*ssl, const int type);
int
SSL_get_servername_type
(const SSL
*ssl);
int
SSL_set_tlsext_host_name
(const SSL
*ssl, const char *name);
DESCRIPTION¶
SSL_CTX_set_tlsext_servername_callback
()
sets the application callback cb used by a server to
perform any actions or configuration required based on the servername
extension received in the incoming connection. Like the ALPN callback, it is
executed during Client Hello processing. When cb is
NULL
, SNI is not used.
The servername callback should return one of the following values:
SSL_TLSEXT_ERR_OK
- This is used to indicate that the servername requested by the client has been accepted. Typically a server will call SSL_set_SSL_CTX(3) in the callback to set up a different configuration for the selected servername in this case.
SSL_TLSEXT_ERR_ALERT_FATAL
- In this case the servername requested by the client is not accepted and
the handshake will be aborted. The value of the alert to be used should be
stored in the location pointed to by the alert
parameter to the callback. By default this value is initialised to
SSL_AD_UNRECOGNIZED_NAME
. SSL_TLSEXT_ERR_ALERT_WARNING
- If this value is returned, then the servername is not accepted by the
server. However, the handshake will continue and send a warning alert
instead. The value of the alert should be stored in the location pointed
to by the alert parameter as for
SSL_TLSEXT_ERR_ALERT_FATAL
above. Note that TLSv1.3 does not support warning alerts, so if TLSv1.3 has been negotiated then this return value is treated the same way asSSL_TLSEXT_ERR_NOACK
. SSL_TLSEXT_ERR_NOACK
- This return value indicates that the servername is not accepted by the server. No alerts are sent and the server will not acknowledge the requested servername.
SSL_CTX_set_tlsext_servername_arg
()
sets a context-specific argument to be passed into the callback via the
arg parameter for ctx.
SSL_set_tlsext_host_name
()
sets the server name indication ClientHello extension to contain the value
name, or clears it if name is
NULL
. The type of server name indication extension
is set to TLSEXT_NAMETYPE_host_name
as defined in
RFC 3546.
All three functions are implemented as macros.
RETURN VALUES¶
SSL_CTX_set_tlsext_servername_callback
()
and SSL_CTX_set_tlsext_servername_arg
() always
return 1 indicating success.
SSL_get_servername
() returns a servername
extension value of the specified type if provided in the Client Hello, or
NULL
otherwise.
SSL_get_servername_type
() returns the
servername type or -1 if no servername is present. Currently the only
supported type (defined in RFC 3546) is
TLSEXT_NAMETYPE_host_name
.
SSL_set_tlsext_host_name
() returns 1 on
success or 0 in case of an error.
SEE ALSO¶
ssl(3), SSL_CTX_callback_ctrl(3), SSL_CTX_set_alpn_select_cb(3)
HISTORY¶
These functions first appeared in OpenSSL 0.9.8f and have been available since OpenBSD 4.5.
September 1, 2021 | Linux 6.4.0-150600.23.25-default |