Closed TechnikEmpire closed 2 days ago
It is possible to use SNIHandler
and insert NIOSSLServerHandler
with required context (certificate)
It is indeed. However, we should have a plan to supplement this, as the SNIHandler is not capable of handling an encrypted ClientHello, and doesn’t work with QUIC.
SSL_CTX_set_tlsext_servername_callback
is not implemented.To write a modern TLS enabled server, this callback is required. Why? Because a modern server should be capable of being initialized with a default
SSL_CTX
that implements the SNI callback and, if executed (when SNI is present in the client hello), you should be able to fetch or generate aSSL_CTX
specifically for that host (fetched withSSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name)
) and then also dynamically change the context in use for that connected clientSSL
object viaSSL_set_SSL_CTX()
before returning from the callback.Without this, you can only write servers like its 2002 (SNI was introduced in 2003).
I'll see if I can do a PR but it may not come soon. It should be trivial to implement for someone who already knows their way around this library.