C开发, 支持 Server Name Indication (SNI)

Server Name Indication (SNI)

关于 Server Name Indication (SNI), 可以参考文章

• https://blog.csdn.net/firefile/article/details/80532161
• https://blog.51cto.com/zengestudy/2170245

如何支持SNI

第一, 服务器在执行SSL_accept的时候

• 已经创建好了 SSL_CTX *ctx;
• 依赖上述SSL_CTX创建了 SSL *ssl;

第二, 对上述ctx提前执行

SSL_CTX_set_tlsext_servername_callback(ctx,  _change_ssl_ctx_by_servername);

int _change_ssl_ctx_by_servername(SSL *ssl, int *ad, void *arg)
{
	/* 获取 servername */
	const char *servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
	
	/* 根据servername, 查找或创建匹配的SSL_CTX */
	SSL_CTX *another_ctx = find_or_create_SSL_CTX_by_servername(servername);
	
	/* 把当前ssl的SSL_CTX设置为 another_ctx */
	SSL_set_SSL_CTX(ssl, another_ctx);
	
	return SSL_TLSEXT_ERR_OK;
	/* PS: servername, another_ctx都可能为 NULL */
	/* 此时函数应该返回 SSL_TLSEXT_ERR_NOACK */
}

列几个相关的openssl函数

long SSL_CTX_set_tlsext_servername_callback(SSL_CTX *ctx, int (*cb)(SSL *, int *, void *));
long SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg);

const char *SSL_get_servername(const SSL *s, const int type);

SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx);
SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl);

LIB-ZC的对SNI的封装

https://gitee.com/linuxmail/lib-zc/blob/master/src/stdlib/openssl.c