如何实现服务器名称指示(SNI)
问题描述:
如何实现服务器名称指示OpenSSL的(SNI)在C或C ++?
How to implement Server Name Indication(SNI) on OpenSSL in C or C++?
是否有任何现实世界的例子可用?
Are there any real world examples available?
答
在客户端,使用 SSL_set_tlsext_host_name(SSL,服务器名)启动SSL连接之前。
On the client side, you use SSL_set_tlsext_host_name(ssl, servername) before initiating the SSL connection.
在服务器端,这是一个有点复杂:
On the server side, it's a little more complicated:
- 设置了一个附加的
SSL_CTX()为每个不同的证书; - 一个服务器回调添加到每个
SSL_CTX()使用SSL_CTX_set_tlsext_servername_callback(); - 在回调,检索与
客户端提供的服务器名SSL_get_servername(SSL,TLSEXT_NAMETYPE_host_name)。弄清楚SSL_CTX的权利去与该主机名,那么SSL对象切换到SSL_CTX与SSL_set_SSL_CTX()。
- Set up an additional
SSL_CTX()for each different certificate; - Add a servername callback to each
SSL_CTX()usingSSL_CTX_set_tlsext_servername_callback(); - In the callback, retrieve the client-supplied servername with
SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name). Figure out the rightSSL_CTXto go with that host name, then switch theSSLobject to thatSSL_CTXwithSSL_set_SSL_CTX().
的 s_client.c 和 s_server.c 在应用程序/ 文件code> OpenSSL的源代码发布的目录实现这个功能,所以他们是一个很好的资源,看看它应该怎么做。
The s_client.c and s_server.c files in the apps/ directory of the OpenSSL source distribution implement this functionality, so they're a good resource to see how it should be done.