Closed pepone closed 1 month ago
The new sslNewSessionCallback
is called before the handshake start, SNI hostname is not available in the server until ClientHello is received.
One option which can already work is to use SSL_CTX_set_tlsext_servername_callback
and the set the server certificate from this callback.
We should consider if delaying the call to the sslNewSessionCallback
until ClientHello is received is preferred. (Not sure if it is possible)
For the SecureTransport protocol, the kSSLSessionOptionBreakOnClientHello option allows us to stop the handshake once the Client Hello message is received. At this point, we can use SSLCopyRequestedPeerName to retrieve the SNI (Server Name Indication) hostname.
Based on this, we can update the serverCertificateSelectionCallback and sslNewSessionCallback functions to include an additional parameter for the SNI hostname.
Regarding Schannel, there is no built-in support for retrieving the hostname. Implementing this would require manually parsing the Client Hello message to extract the name from the SNI extensions, which I would rather not do.
For OpenSSL, I recommend that applications handle this directly using the provided OpenSSL APIs, specifically SSL_CTX_set_client_hello_cb and SSL_CTX_set_tlsext_servername_callback.
In summary, I propose we update the macOS/iOS callbacks to provide the SNI name while leaving the OpenSSL and Schannel APIs unchanged.
I think I would just lave them as they are and not pass SNI for macOS/iOS.
Should we also provide the SNI hostname if it's available for these?
_Originally posted by @externl in https://github.com/zeroc-ice/ice/pull/2063#discussion_r1581412901_