handle server name indication
*ctx, int (*cb)(SSL *ssl, int *alert, void
*ctx, void *arg);
const char *
*ssl, const int type);
*ssl, const char *name);
sets the application callback cb used by a server to
perform any actions or configuration required based on the servername
extension received in the incoming connection. Like the ALPN callback, it is
executed during Client Hello processing. When cb is
NULL, SNI is not used.
The servername callback should return one of the following values:
- This is used to indicate that the servername requested by the client has been accepted. Typically a server will call SSL_set_SSL_CTX(3) in the callback to set up a different configuration for the selected servername in this case.
- In this case the servername requested by the client is not accepted and
the handshake will be aborted. The value of the alert to be used should be
stored in the location pointed to by the alert
parameter to the callback. By default this value is initialised to
- If this value is returned, then the servername is not accepted by the
server. However, the handshake will continue and send a warning alert
instead. The value of the alert should be stored in the location pointed
to by the alert parameter as for
SSL_TLSEXT_ERR_ALERT_FATALabove. Note that TLSv1.3 does not support warning alerts, so if TLSv1.3 has been negotiated then this return value is treated the same way as
- This return value indicates that the servername is not accepted by the server. No alerts are sent and the server will not acknowledge the requested servername.
sets a context-specific argument to be passed into the callback via the
arg parameter for ctx.
sets the server name indication ClientHello extension to contain the value
name, or clears it if name is
NULL. The type of server name indication extension
is set to
TLSEXT_NAMETYPE_host_name as defined in
All three functions are implemented as macros.
return 1 indicating success.
SSL_get_servername() returns a servername
extension value of the specified type if provided in the Client Hello, or
SSL_get_servername_type() returns the
servername type or -1 if no servername is present. Currently the only
supported type (defined in RFC 3546) is
SSL_set_tlsext_host_name() returns 1 on
success or 0 in case of an error.
ssl(3), SSL_CTX_callback_ctrl(3), SSL_CTX_set_alpn_select_cb(3)
These functions first appeared in OpenSSL 0.9.8f and have been available since OpenBSD 4.5.