diff --git a/doc/developer-guide/api/functions/TSVConnSslSniGet.en.rst b/doc/developer-guide/api/functions/TSVConnSslSniGet.en.rst new file mode 100644 index 00000000000..421436645b8 --- /dev/null +++ b/doc/developer-guide/api/functions/TSVConnSslSniGet.en.rst @@ -0,0 +1,33 @@ +.. Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed + with this work for additional information regarding copyright + ownership. The ASF licenses this file to you under the Apache + License, Version 2.0 (the "License"); you may not use this file + except in compliance with the License. You may obtain a copy of + the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied. See the License for the specific language governing + permissions and limitations under the License. + + +TSVConnSslSniGet +================ + +Synopsis +-------- + +.. code-block:: cpp + + #include + +.. c:function:: const char TSVConnSslSniGet(TSVConn sslp, int *length) + + +Description +----------- +Get the SNI (Server Name Indication) that corresponds to SSL connection :arg:`sslp`. diff --git a/include/ts/ts.h b/include/ts/ts.h index d2d216baae2..fd772724049 100644 --- a/include/ts/ts.h +++ b/include/ts/ts.h @@ -1325,6 +1325,7 @@ tsapi int TSVConnIsSsl(TSVConn sslp); /* Returns 1 if a certificate was provided in the TLS handshake, 0 otherwise. */ tsapi int TSVConnProvidedSslCert(TSVConn sslp); +tsapi const char *TSVConnSslSniGet(TSVConn sslp, int *length); tsapi TSSslSession TSSslSessionGet(const TSSslSessionID *session_id); tsapi int TSSslSessionGetBuffer(const TSSslSessionID *session_id, char *buffer, int *len_ptr); diff --git a/src/traffic_server/InkAPI.cc b/src/traffic_server/InkAPI.cc index 21f711c82d1..1db3ae42bba 100644 --- a/src/traffic_server/InkAPI.cc +++ b/src/traffic_server/InkAPI.cc @@ -9451,6 +9451,25 @@ TSVConnSslConnectionGet(TSVConn sslp) return ssl; } +const char * +TSVConnSslSniGet(TSVConn sslp, int *length) +{ + char const *server_name = nullptr; + NetVConnection *vc = reinterpret_cast(sslp); + + if (vc == nullptr) { + return nullptr; + } + + server_name = vc->get_server_name(); + + if (length) { + *length = server_name ? strlen(server_name) : 0; + } + + return server_name; +} + tsapi TSSslVerifyCTX TSVConnSslVerifyCTXGet(TSVConn sslp) { diff --git a/tests/gold_tests/tls/tls_hooks_verify.test.py b/tests/gold_tests/tls/tls_hooks_verify.test.py index a60146da4fd..7df8ec0eca3 100644 --- a/tests/gold_tests/tls/tls_hooks_verify.test.py +++ b/tests/gold_tests/tls/tls_hooks_verify.test.py @@ -92,7 +92,7 @@ tr3.Processes.Default.ReturnCode = 0 tr3.Processes.Default.Streams.stdout = Testers.ExcludesExpression("Could Not Connect", "Curl attempt should have failed") -# Over riding the built in ERROR check since we expect tr2 to fail +# Overriding the built in ERROR check since we expect tr2 to fail ts.Disk.diags_log.Content = Testers.ContainsExpression( "WARNING: TS_EVENT_SSL_VERIFY_SERVER plugin failed the origin certificate check for 127.0.0.1. Action=Terminate SNI=random.com", "random.com should fail") @@ -113,3 +113,4 @@ "Server verify callback 0 [\da-fx]+? - event is good SNI=bar.com error HS", "verify callback happens 2 times") ts.Streams.All += Testers.ContainsExpression( "Server verify callback 1 [\da-fx]+? - event is good SNI=bar.com error HS", "verify callback happens 2 times") +ts.Streams.All += Testers.ContainsExpression("Server verify callback SNI APIs match=true", "verify SNI names match") diff --git a/tests/tools/plugins/ssl_verify_test.cc b/tests/tools/plugins/ssl_verify_test.cc index d375a078071..1cc35ae7733 100644 --- a/tests/tools/plugins/ssl_verify_test.cc +++ b/tests/tools/plugins/ssl_verify_test.cc @@ -61,6 +61,10 @@ CB_server_verify(TSCont cont, TSEvent event, void *edata) event == TS_EVENT_SSL_VERIFY_SERVER ? "good" : "bad", sni_name, reenable_event == TS_EVENT_ERROR ? "error HS" : "good HS"); + int len; + const char *method2_name = TSVConnSslSniGet(ssl_vc, &len); + TSDebug(PN, "Server verify callback SNI APIs match=%s", 0 == strncmp(method2_name, sni_name, len) ? "true" : "false"); + // All done, reactivate things TSVConnReenableEx(ssl_vc, reenable_event); return TS_SUCCESS;