SSLContext.set_servername_callback(server_name_callback)
Register a callback function that will be called after the TLS Client Hello handshake message has been received by the SSL/TLS server when the TLS client specifies a server name indication. The server name indication mechanism is specified in RFC 6066 section 3 - Server Name Indication.
Only one callback can be set per SSLContext
. If server_name_callback is None
then the callback is disabled. Calling this function a subsequent time will disable the previously registered callback.
The callback function, server_name_callback, will be called with three arguments; the first being the ssl.SSLSocket
, the second is a string that represents the server name that the client is intending to communicate (or None
if the TLS Client Hello does not contain a server name) and the third argument is the original SSLContext
. The server name argument is the IDNA decoded server name.
A typical use of this callback is to change the ssl.SSLSocket
‘s SSLSocket.context
attribute to a new object of type SSLContext
representing a certificate chain that matches the server name.
Due to the early negotiation phase of the TLS connection, only limited methods and attributes are usable like SSLSocket.selected_alpn_protocol()
and SSLSocket.context
. SSLSocket.getpeercert()
, SSLSocket.getpeercert()
, SSLSocket.cipher()
and SSLSocket.compress()
methods require that the TLS connection has progressed beyond the TLS Client Hello and therefore will not contain return meaningful values nor can they be called safely.
The server_name_callback function must return None
to allow the TLS negotiation to continue. If a TLS failure is required, a constant ALERT_DESCRIPTION_*
can be returned. Other return values will result in a TLS fatal error with ALERT_DESCRIPTION_INTERNAL_ERROR
.
If there is an IDNA decoding error on the server name, the TLS connection will terminate with an ALERT_DESCRIPTION_INTERNAL_ERROR
fatal TLS alert message to the client.
If an exception is raised from the server_name_callback function the TLS connection will terminate with a fatal TLS alert message ALERT_DESCRIPTION_HANDSHAKE_FAILURE
.
This method will raise NotImplementedError
if the OpenSSL library had OPENSSL_NO_TLSEXT defined when it was built.
New in version 3.4.
Please login to continue.