SSL_CTX_set_tlsext_servername_callback回调函数未被调用 [英] SSL_CTX_set_tlsext_servername_callback callback function not being called

问题描述

我正在写一个https服务器，我需要从客户端获取主机名，在ssl_accept（）使用SNI。我使用SSL_CTX_set_tlsext_servername_callback（）接收主机名，但回调根本不会得到调用。这是我的代码

I am writing a https server and i need to get host name from client before ssl_accept() using SNI. I am using SSL_CTX_set_tlsext_servername_callback() to receive host name but the callback not at all get called. Here is part of my code

// Server Name Indication callback from OpenSSL
static int serverNameCallback(SSL *ssl, int *ad, void *arg) 
{
    if (ssl == NULL)
        return SSL_TLSEXT_ERR_NOACK;

    const char* servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
    printf("ServerName: %s\n", servername);
}

int main()
{
    //some code 
    const SSL_METHOD *method;
    SSL_CTX *ctx;

    method = SSLv3_server_method();  
    ctx = SSL_CTX_new(method);   
    if ( ctx == NULL )
    { 
        printf("SSL_ctx_new() error\n");
    }

    int ret = SSL_CTX_set_tlsext_servername_callback(ctx, serverNameCallback);
}

推荐答案

我写了一个https服务器，我需要从客户端ssl_accept（）使用SNI之前获取主机名。

I am writing a https server and i need to get host name from client before ssl_accept() using SNI.

调用 SSL_CTX_set_tlsext_servername_callback 。

您的SNI回呼不是 呼叫SSLv2和SSLv3用户端。这是因为SNI是一个TLS扩展。

Your SNI callback is not called for SSLv2 and SSLv3 clients. That's because SNI is a TLS extension.

如果客户端是Windows XP（或类似的，不使用TLS的扩展），那么你的SNI回调将被调用，但 servername 将为 NULL 。在这种情况下，您应该使用默认的服务器上下文。

If the client is Windows XP (or similar that don't use the extension with TLS), then your SNI callback will be invoked, but servername will be NULL. In this case, you should use the default server context.

如果客户端使用TLS并发送服务器名称，那么将调用SNI回调。在回调中，您应该（1）确定默认证书和上下文是否正常。如果确定，则返回 SSL_TLSEXT_ERR_OK 。 （2）如果您可以提供更合适的证书，请使用 SSL_set_SSL_CTX 在新上下文中切换，并返回 SSL_TLSEXT_ERR_OK 。

If the client is using TLS and send s the server name, then your SNI callback will be invoked. In the callback, you should (1) determine if the default certificate and context is OK. If it is OK, then return SSL_TLSEXT_ERR_OK. (2) If you can provide a more appropriate certificate, then use SSL_set_SSL_CTX to swap in the new context and return SSL_TLSEXT_ERR_OK.

如果您遇到错误（如 NULL servername ），那么应该返回 SSL_TLSEXT_ERR_NOACK 。还有另外两个错误代码可以返回。这两个都是致命的连接，IIRC。

If you experience an error (like a NULL servername), then you should return SSL_TLSEXT_ERR_NOACK. There's two other error codes you can return. Both are fatal to the connection, IIRC.

回调的实现细节在在一个框中使用SNI服务多个域。

这篇关于SSL_CTX_set_tlsext_servername_callback回调函数未被调用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！