How to implement Server Name Indication (SNI)

问题

How to implement Server Name Indication(SNI) on OpenSSL in C or C++?

Are there any real world examples available?

回答1:

On the client side, you use SSL_set_tlsext_host_name(ssl, servername) before initiating the SSL connection.

On the server side, it's a little more complicated:

• Set up an additional SSL_CTX() for each different certificate;
• Add a servername callback to each SSL_CTX() using SSL_CTX_set_tlsext_servername_callback();
• In the callback, retrieve the client-supplied servername with SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name). Figure out the right SSL_CTX to go with that host name, then switch the SSL object to that SSL_CTX with SSL_set_SSL_CTX().

The s_client.c and s_server.c files in the apps/ directory of the OpenSSL source distribution implement this functionality, so they're a good resource to see how it should be done.

来源：https://stackoverflow.com/questions/5113333/how-to-implement-server-name-indication-sni