Dragollla
commented
2 years ago It is possible to use SNIHandler and insert NIOSSLServerHandler with required context (certificate)
Closed TechnikEmpire closed 2 days ago
Dragollla
commented
2 years ago It is possible to use SNIHandler and insert NIOSSLServerHandler with required context (certificate)
Lukasa
commented
2 years ago It is indeed. However, we should have a plan to supplement this, as the SNIHandler is not capable of handling an encrypted ClientHello, and doesn’t work with QUIC.
SSL_CTX_set_tlsext_servername_callbackis not implemented.To write a modern TLS enabled server, this callback is required. Why? Because a modern server should be capable of being initialized with a default
SSL_CTXthat implements the SNI callback and, if executed (when SNI is present in the client hello), you should be able to fetch or generate aSSL_CTXspecifically for that host (fetched withSSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name)) and then also dynamically change the context in use for that connected clientSSLobject viaSSL_set_SSL_CTX()before returning from the callback.Without this, you can only write servers like its 2002 (SNI was introduced in 2003).
I'll see if I can do a PR but it may not come soon. It should be trivial to implement for someone who already knows their way around this library.