1 (edited by beaveryoga 2021-09-05 07:34:49)

Topic: wolfSSL_CTX _set_servername_calback: virtual hosting revisited

Where is wolfSSL_CTX_set_servername_callback documented with examples?

Google searches for SNI/virtual hosting support in a wolfSSL-based server directed us to peek at the ClientHello raw bytes
and use wolfSSL_SNI_GetFromBuffer() to detect the server_name extension.

But...wolfSSL has wolfSSL_CTX_set_servername_callback: this does not seem to be documented anywhere.

Does this mean that to support virtuall hosts we can:
1. Set  a default wolfSSL_CTX for the initial listen/accept connection
2. Use  servername callback to swap out the original wolfSSL_CTX with wolfSSL_set_SSL_CTX if we want to use different credentials (key/cert)

This is the standard method in OpenSSL virtual hosting and I wanted to confirm that wolfSSL supports this pattern.

I discovered this when reading the code for OpenSIPS which uses wolfSSL exactly in the way to support virtual hosting.

It is surprising that when wolfSSL and SNI/virtual hosting is raised this function is never mentioned.

Share

Re: wolfSSL_CTX _set_servername_calback: virtual hosting revisited

Hello beaveryoga,

Thanks for joining the forums. This functionality was added to enable openSSL compatibility. It looks like the proper API is `wolfSSL_CTX_set_tlsext_servername_callback`, which is nearly identical to `wolfSSL_CTX_set_servername_callback`.

I could not find any openSSL examples of using `SSL_CTX_set_servername_callback`. I'll check with the n team to see if there is more info to share.

Thanks,
Eric @ wolfSSL Support

Re: wolfSSL_CTX _set_servername_calback: virtual hosting revisited

wolfSSL has two functions with and without the

_tlsext_

part.

void wolfSSL_CTX_set_servername_callback(WOLFSSL_CTX* ctx, CallbackSniRecv cb)
{
    WOLFSSL_ENTER("wolfSSL_CTX_set_servername_callback");
    if (ctx)
        ctx->sniRecvCb = cb;
}

int wolfSSL_CTX_set_tlsext_servername_callback(WOLFSSL_CTX* ctx,
                                               CallbackSniRecv cb)
{
    WOLFSSL_ENTER("wolfSSL_CTX_set_tlsext_servername_callback");
    if (ctx) {
        ctx->sniRecvCb = cb;
        return WOLFSSL_SUCCESS;
    }
    return WOLFSSL_FAILURE;
}

OpenSSL uses only one name with

_tlsext_

.

So just to confirm that this is the official way to support SNI instead of peeking at raw ClientHello bytes?

Share

Re: wolfSSL_CTX _set_servername_calback: virtual hosting revisited

From the server side, yes, the callback allows the server to handle the incoming SNI extension form the client.