Certificate selection for servers is missing

[TechnikEmpire]

SSL_CTX_set_tlsext_servername_callback is not implemented.

To write a modern TLS enabled server, this callback is required. Why? Because a modern server should be capable of being initialized with a default SSL_CTX that implements the SNI callback and, if executed (when SNI is present in the client hello), you should be able to fetch or generate a SSL_CTX specifically for that host (fetched with SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name)) and then also dynamically change the context in use for that connected client SSL object via SSL_set_SSL_CTX() before returning from the callback.

Without this, you can only write servers like its 2002 (SNI was introduced in 2003).

I'll see if I can do a PR but it may not come soon. It should be trivial to implement for someone who already knows their way around this library.

[Dragollla]

It is possible to use SNIHandler and insert NIOSSLServerHandler with required context (certificate)

[Lukasa]

It is indeed. However, we should have a plan to supplement this, as the SNIHandler is not capable of handling an encrypted ClientHello, and doesn’t work with QUIC.