Skip to content

Expose QuicSslContextBuilder::sni (#16178)#16281

Merged
normanmaurer merged 3 commits into5.0from
sni5
Feb 18, 2026
Merged

Expose QuicSslContextBuilder::sni (#16178)#16281
normanmaurer merged 3 commits into5.0from
sni5

Conversation

@normanmaurer
Copy link
Copy Markdown
Member

@normanmaurer normanmaurer commented Feb 16, 2026

Motivation:

In order to be able to receive the SniCompletionEvent sni mapping needs to be used, however, the function
QuicSslContextBuilder::buildForServerWithSni doesn't allow setting ClientAuth and alternativly the builder doesn't allow setting the SNI mapping.

This means there is currently no way to use both SNI mapping and support/enforce client certs with QUIC.

Modification:

Expose the QuicSslContextBuilder::sni so that its possible to create a QuicSslContext with SNI mapping alongside other settings.

Also adds QuicChannelConnectTest::testSniWithClientAuth to validate

Result:

The following then works to allow both receiving the SniCompletionEvent and require a client cert

// Build context with clientAuth and trustManager configured
QuicSslContext sniContext = QuicSslContextBuilder.forServer(key, null, cert)
    .applicationProtocols("alpn/1")
    .clientAuth(ClientAuth.REQUIRE)
    // ... 
    .build();

// Create SNI-enabled context using the builder's sni() method
QuicSslContext serverContext = QuicSslContextBuilder.forServer(key, null, cert)
    .clientAuth(ClientAuth.REQUIRE)
    .sni(hostname -> sniContext)
    .build();

@ZeroErrors @normanmaurer
Expose QuicSslContextBuilder::sni (#16178)
881b3fd 
**Motivation:**

In order to be able to receive the `SniCompletionEvent` sni mapping
needs to be used, however, the function
`QuicSslContextBuilder::buildForServerWithSni` doesn't allow setting
`ClientAuth` and alternativly the builder doesn't allow setting the SNI
mapping.

This means there is currently no way to use both SNI mapping and
support/enforce client certs with QUIC.

**Modification:**

Expose the `QuicSslContextBuilder::sni` so that its possible to create a
`QuicSslContext` with SNI mapping alongside other settings.

Also adds `QuicChannelConnectTest::testSniWithClientAuth` to validate

**Result:**

The following then works to allow both receiving the
`SniCompletionEvent` and require a client cert
```
// Build context with clientAuth and trustManager configured
QuicSslContext sniContext = QuicSslContextBuilder.forServer(key, null, cert)
    .applicationProtocols("alpn/1")
    .clientAuth(ClientAuth.REQUIRE)
    // ... 
    .build();

// Create SNI-enabled context using the builder's sni() method
QuicSslContext serverContext = QuicSslContextBuilder.forServer(key, null, cert)
    .clientAuth(ClientAuth.REQUIRE)
    .sni(hostname -> sniContext)
    .build();
```

Co-authored-by: Norman Maurer <norman_maurer@apple.com>
@normanmaurer normanmaurer added this to the 5.0.0.Final milestone Feb 16, 2026
@normanmaurer normanmaurer merged commit a781541 into 5.0 Feb 18, 2026
12 of 13 checks passed
@normanmaurer normanmaurer deleted the sni5 branch February 18, 2026 16:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

5.0.0.Final

Development

Successfully merging this pull request may close these issues.

2 participants

@normanmaurer @ZeroErrors