apache · randall · Oct 19, 2021 · Oct 6, 2021
diff --git a/doc/developer-guide/api/functions/TSVConnSslSniGet.en.rst b/doc/developer-guide/api/functions/TSVConnSslSniGet.en.rst
@@ -0,0 +1,33 @@
+.. Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed
+   with this work for additional information regarding copyright
+   ownership.  The ASF licenses this file to you under the Apache
+   License, Version 2.0 (the "License"); you may not use this file
+   except in compliance with the License.  You may obtain a copy of
+   the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+   implied.  See the License for the specific language governing
+   permissions and limitations under the License.
+
+
+TSVConnSslSniGet
+================
+
+Synopsis
+--------
+
+.. code-block:: cpp
+
+    #include <ts/ts.h>
+
+.. c:function:: const char TSVConnSslSniGet(TSVConn sslp, int *length)
+
+
+Description
+-----------
+Get the SNI (Server Name Indication) that corresponds to SSL connection :arg:`sslp`.
diff --git a/include/ts/ts.h b/include/ts/ts.h
@@ -1325,6 +1325,7 @@ tsapi int TSVConnIsSsl(TSVConn sslp);
 /* Returns 1 if a certificate was provided in the TLS handshake, 0 otherwise.
  */
 tsapi int TSVConnProvidedSslCert(TSVConn sslp);
+tsapi const char *TSVConnSslSniGet(TSVConn sslp, int *length);
 
 tsapi TSSslSession TSSslSessionGet(const TSSslSessionID *session_id);
 tsapi int TSSslSessionGetBuffer(const TSSslSessionID *session_id, char *buffer, int *len_ptr);

diff --git a/src/traffic_server/InkAPI.cc b/src/traffic_server/InkAPI.cc
@@ -9451,6 +9451,25 @@ TSVConnSslConnectionGet(TSVConn sslp)
   return ssl;
 }
 
+const char *
+TSVConnSslSniGet(TSVConn sslp, int *length)
+{
+  char const *server_name = nullptr;
+  NetVConnection *vc      = reinterpret_cast<NetVConnection *>(sslp);
+
+  if (vc == nullptr) {
+    return nullptr;
+  }
+
+  server_name = vc->get_server_name();
+
+  if (length) {
+    *length = server_name ? strlen(server_name) : 0;
+  }
+
+  return server_name;
+}
+
 tsapi TSSslVerifyCTX
 TSVConnSslVerifyCTXGet(TSVConn sslp)
 {

diff --git a/tests/gold_tests/tls/tls_hooks_verify.test.py b/tests/gold_tests/tls/tls_hooks_verify.test.py
@@ -92,7 +92,7 @@
 tr3.Processes.Default.ReturnCode = 0
 tr3.Processes.Default.Streams.stdout = Testers.ExcludesExpression("Could Not Connect", "Curl attempt should have failed")
 
-# Over riding the built in ERROR check since we expect tr2 to fail
+# Overriding the built in ERROR check since we expect tr2 to fail
 ts.Disk.diags_log.Content = Testers.ContainsExpression(
     "WARNING: TS_EVENT_SSL_VERIFY_SERVER plugin failed the origin certificate check for 127.0.0.1.  Action=Terminate SNI=random.com",
     "random.com should fail")
@@ -113,3 +113,4 @@
     "Server verify callback 0 [\da-fx]+? - event is good SNI=bar.com error HS", "verify callback happens 2 times")
 ts.Streams.All += Testers.ContainsExpression(
     "Server verify callback 1 [\da-fx]+? - event is good SNI=bar.com error HS", "verify callback happens 2 times")
+ts.Streams.All += Testers.ContainsExpression("Server verify callback SNI APIs match=true", "verify SNI names match")
diff --git a/tests/tools/plugins/ssl_verify_test.cc b/tests/tools/plugins/ssl_verify_test.cc
@@ -61,6 +61,10 @@ CB_server_verify(TSCont cont, TSEvent event, void *edata)
           event == TS_EVENT_SSL_VERIFY_SERVER ? "good" : "bad", sni_name,
           reenable_event == TS_EVENT_ERROR ? "error HS" : "good HS");
 
+  int len;
+  const char *method2_name = TSVConnSslSniGet(ssl_vc, &len);
+  TSDebug(PN, "Server verify callback SNI APIs match=%s", 0 == strncmp(method2_name, sni_name, len) ? "true" : "false");
+
   // All done, reactivate things
   TSVConnReenableEx(ssl_vc, reenable_event);
   return TS_SUCCESS;