From 3f0490ebc96a44a13b96cd4b4f57f4172204a445 Mon Sep 17 00:00:00 2001
From: klemek <klemek.dev@proton.me>
Date: Sat, 9 May 2026 12:25:36 +0200
Subject: [PATCH] fix: use servername callback instead of sni callback

---
 stapler/cert_manager.py    |  9 +++++++--
 stapler/server.py          |  2 +-
 tests/test_cert_manager.py | 18 ++++++++++--------
 tests/test_server.py       |  3 ++-
 4 files changed, 20 insertions(+), 12 deletions(-)

diff --git a/stapler/cert_manager.py b/stapler/cert_manager.py
index 2b8525b..804cf6d 100644
--- a/stapler/cert_manager.py
+++ b/stapler/cert_manager.py
@@ -185,11 +185,16 @@ class CertManager:
             return False
         return self.__exists_certbot(host)
 
-    def sni_callback(
-        self, socket: ssl.SSLObject, host: str | None, _: ssl.SSLContext, /
+    def servername_callback(
+        self,
+        socket: ssl.SSLSocket | ssl.SSLObject,
+        host: str | None,
+        _: ssl.SSLSocket,
+        /,
     ) -> None | int:
         if host is None:
             return None
+        self.logger.debug("servername callback: %s", host)
         if not self.exists(host) and not self.create_or_update(host):
             return None
         cert_file = self.get_cert(host)
diff --git a/stapler/server.py b/stapler/server.py
index da5baf2..71686a2 100644
--- a/stapler/server.py
+++ b/stapler/server.py
@@ -73,7 +73,7 @@ class StaplerServer:
             )
             context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
             server.socket = context.wrap_socket(server.socket, server_side=True)
-            context.sni_callback = self.cert_manager.sni_callback
+            context.set_servername_callback(self.cert_manager.servername_callback)
         else:
             server = http.server.ThreadingHTTPServer(
                 (
diff --git a/tests/test_cert_manager.py b/tests/test_cert_manager.py
index 019078b..7debbfe 100644
--- a/tests/test_cert_manager.py
+++ b/tests/test_cert_manager.py
@@ -161,24 +161,26 @@ class TestRegistry(BaseTestCase):
             lambda: self.cert_manager.get_key("example.com"),
         )
 
-    def test_sni_callback_no_host(self) -> None:
+    def test_servername_callback_no_host(self) -> None:
         self._make_self_signed("example.com")
         with (
             self.patch("ssl.create_default_context", count=0),
         ):
-            self.cert_manager.sni_callback(self.socket_mock, None, self.context_mock)
+            self.cert_manager.servername_callback(
+                self.socket_mock, None, self.context_mock
+            )
 
-    def test_sni_callback_fail(self) -> None:
+    def test_servername_callback_fail(self) -> None:
         self._make_self_signed("example.com")
         with (
             self.patch("shutil.which", count=3),
             self.patch("ssl.create_default_context", count=0),
         ):
-            self.cert_manager.sni_callback(
+            self.cert_manager.servername_callback(
                 self.socket_mock, "example.fr", self.context_mock
             )
 
-    def test_sni_callback_create_context(self) -> None:
+    def test_servername_callback_create_context(self) -> None:
         self._make_self_signed("example.com")
         with (
             self.patch("ssl.create_default_context", return_value=self.context_mock),
@@ -191,18 +193,18 @@ class TestRegistry(BaseTestCase):
             ),
             self.patch("shutil.which", count=0),
         ):
-            self.cert_manager.sni_callback(
+            self.cert_manager.servername_callback(
                 self.socket_mock, "example.com", self.context_mock
             )
 
-    def test_sni_callback_create_context_fail(self) -> None:
+    def test_servername_callback_create_context_fail(self) -> None:
         self._make_self_signed("example.com")
         with (
             self.patch("ssl.create_default_context", return_value=self.context_mock),
             self.patch("shutil.which", count=0),
         ):
             self.context_mock.load_cert_chain.side_effect = Exception
-            self.cert_manager.sni_callback(
+            self.cert_manager.servername_callback(
                 self.socket_mock, "example.com", self.context_mock
             )
             self.context_mock.load_cert_chain.assert_called_once_with(
diff --git a/tests/test_server.py b/tests/test_server.py
index 5ffab52..6cc979d 100644
--- a/tests/test_server.py
+++ b/tests/test_server.py
@@ -65,7 +65,7 @@ class TestStaplerServer(BaseTestCase):
 
     def test_run_https(self) -> None:
         self.token_manager.detect_file_change.side_effect = KeyboardInterrupt
-        self.cert_manager.sni_callback = unittest.mock.Mock()
+        self.cert_manager.servername_callback = unittest.mock.Mock()
         with (
             self.mock_call(self.registry.load_pages),
             self.mock_call(self.cert_manager.init),
@@ -74,6 +74,7 @@ class TestStaplerServer(BaseTestCase):
             self.patch("ssl.create_default_context", return_value=self.context_mock),
             self.patch("http.server.ThreadingHTTPServer", self.server_mock, 2),
             self.mock_call_unchecked(self.context_mock.wrap_socket),
+            self.mock_call_unchecked(self.context_mock.set_servername_callback),
             self.mock_calls_unchecked(self.server_mock.serve_forever, 2),
             self.mock_call(self.server_mock.shutdown),
             self.seal_mocks(),