OpenBSD manual page server

Manual Page Search Parameters

SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK(3) Library Functions Manual SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK(3)

SSL_CTX_set_tlsext_servername_callback, SSL_CTX_set_tlsext_servername_arg, SSL_get_servername_type, SSL_get_servername, SSL_set_tlsext_host_namehandle server name indication (SNI)

#include <openssl/ssl.h>

long
SSL_CTX_set_tlsext_servername_callback(SSL_CTX *ctx, int (*cb)(SSL *ssl, int *alert, void *arg));

long
SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg);

const char *
SSL_get_servername(const SSL *ssl, const int type);

int
SSL_get_servername_type(const SSL *ssl);

int
SSL_set_tlsext_host_name(const SSL *ssl, const char *name);

() sets the application callback cb used by a server to perform any actions or configuration required based on the servername extension received in the incoming connection. Like the ALPN callback, it is executed during Client Hello processing. When cb is NULL, SNI is not used.

The servername callback should return one of the following values:

This is used to indicate that the servername requested by the client has been accepted. Typically a server will call SSL_set_SSL_CTX(3) in the callback to set up a different configuration for the selected servername in this case.
In this case the servername requested by the client is not accepted and the handshake will be aborted. The value of the alert to be used should be stored in the location pointed to by the alert parameter to the callback. By default this value is initialised to SSL_AD_UNRECOGNIZED_NAME.
If this value is returned, then the servername is not accepted by the server. However, the handshake will continue and send a warning alert instead. The value of the alert should be stored in the location pointed to by the alert parameter as for SSL_TLSEXT_ERR_ALERT_FATAL above. Note that TLSv1.3 does not support warning alerts, so if TLSv1.3 has been negotiated then this return value is treated the same way as SSL_TLSEXT_ERR_NOACK.
This return value indicates that the servername is not accepted by the server. No alerts are sent and the server will not acknowledge the requested servername.

() sets a context-specific argument to be passed into the callback via the arg parameter for ctx.

() sets the server name indication ClientHello extension to contain the value name, or clears it if name is NULL. The type of server name indication extension is set to TLSEXT_NAMETYPE_host_name as defined in RFC 3546.

All three functions are implemented as macros.

SSL_CTX_set_tlsext_servername_callback() and SSL_CTX_set_tlsext_servername_arg() always return 1 indicating success.

SSL_get_servername() returns a servername extension value of the specified type if provided in the Client Hello, or NULL otherwise.

SSL_get_servername_type() returns the servername type or -1 if no servername is present. Currently the only supported type (defined in RFC 3546) is TLSEXT_NAMETYPE_host_name.

SSL_set_tlsext_host_name() returns 1 on success or 0 in case of an error.

ssl(3), SSL_CTX_callback_ctrl(3), SSL_CTX_set_alpn_select_cb(3)

These functions first appeared in OpenSSL 0.9.8f and have been available since OpenBSD 4.5.

September 1, 2021 OpenBSD-current