openssl使用sni支持多域名、多证书服务

 

map g_ctxMap;
SSL_CTX* serverSslCtx = NULL;
static int serverNameCallback(SSL * ssl, int * ad, void * arg)
{
	if(ssl == NULL)
		return SSL_TLSEXT_ERR_NOACK;

	const char * servername = SSL_get_servername(ssl,TLSEXT_NAMETYPE_host_name);
    SSL_CTX* ctx = NULL;    
	if (servername && strlen(servername) > 0)
	{
        //从g_ctxMap中找到servername对应的SSL_CTX
		_OUTPUT(INFO, "%s name = %s\n", __FUNCTION__, servername);
	}
	else
	{
        //选一个默认的SSL_CTX
		_OUTPUT(INFO, "%s name is NULL\n", __FUNCTION__);
	}
    
	SSL_set_SSL_CTX(ssl, ctx);
	SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ctx),                             
    SSL_CTX_get_verify_callback(ctx));
	SSL_set_verify_depth(ssl, SSL_CTX_get_verify_depth(ctx));
	SSL_set_options(ssl, SSL_CTX_get_options(ctx));
	return SSL_TLSEXT_ERR_OK;
}

//初始化一个通用的SSL_CTX,设置好回调函数
//接受客户端的连接sock,与通用SSL_CTX绑定,后面收到包就会触发回调,再根据域名绑定对应的SSL_CTX
serverSslCtx = SSL_CTX_new(SSLv23_server_method());
SSL_CTX_set_tlsext_servername_callback(serverSslCtx, serverNameCallback);


//获取证书里的域名
X509* x509 = SSL_CTX_get0_certificate(serverSslCtx);
X509_NAME* pSubName = X509_get_subject_name(x509);
char csBuf[256] = { 0 };
X509_NAME_get_text_by_NID(pSubName, NID_commonName, csBuf, 256);

 

你可能感兴趣的:(网络开发,openssl,c++,linux)