diff --git a/patch/1.21.4/lua-resty-core-ssl_session_hostname.patch b/patch/1.21.4/lua-resty-core-ssl_session_hostname.patch
new file mode 100644
index 0000000..dd990d6
--- /dev/null
+++ b/patch/1.21.4/lua-resty-core-ssl_session_hostname.patch
@@ -0,0 +1,76 @@
+diff --git lib/ngx/ssl.lua lib/ngx/ssl.lua
+index 8792be0..16b9c13 100644
+--- lib/ngx/ssl.lua
++++ lib/ngx/ssl.lua
+@@ -26,6 +26,7 @@ local ngx_lua_ffi_ssl_set_der_private_key
+ local ngx_lua_ffi_ssl_raw_server_addr
+ local ngx_lua_ffi_ssl_server_port
+ local ngx_lua_ffi_ssl_server_name
++local ngx_lua_ffi_ssl_session_hostname
+ local ngx_lua_ffi_ssl_raw_client_addr
+ local ngx_lua_ffi_cert_pem_to_der
+ local ngx_lua_ffi_priv_key_pem_to_der
+@@ -58,6 +59,9 @@ if subsystem == 'http' then
+     int ngx_http_lua_ffi_ssl_server_name(ngx_http_request_t *r, char **name,
+         size_t *namelen, char **err);
+ 
++    int ngx_http_lua_ffi_ssl_session_hostname(ngx_http_request_t *r, char **name,
++        size_t *namelen, char **err);
++
+     int ngx_http_lua_ffi_ssl_raw_client_addr(ngx_http_request_t *r, char **addr,
+         size_t *addrlen, int *addrtype, char **err);
+ 
+@@ -97,6 +101,7 @@ if subsystem == 'http' then
+     ngx_lua_ffi_ssl_raw_server_addr = C.ngx_http_lua_ffi_ssl_raw_server_addr
+     ngx_lua_ffi_ssl_server_port = C.ngx_http_lua_ffi_ssl_server_port
+     ngx_lua_ffi_ssl_server_name = C.ngx_http_lua_ffi_ssl_server_name
++    ngx_lua_ffi_ssl_session_hostname = C.ngx_http_lua_ffi_ssl_session_hostname
+     ngx_lua_ffi_ssl_raw_client_addr = C.ngx_http_lua_ffi_ssl_raw_client_addr
+     ngx_lua_ffi_cert_pem_to_der = C.ngx_http_lua_ffi_cert_pem_to_der
+     ngx_lua_ffi_priv_key_pem_to_der = C.ngx_http_lua_ffi_priv_key_pem_to_der
+@@ -129,6 +134,9 @@ elseif subsystem == 'stream' then
+     int ngx_stream_lua_ffi_ssl_server_name(ngx_stream_lua_request_t *r,
+         char **name, size_t *namelen, char **err);
+ 
++    int ngx_stream_lua_ffi_ssl_session_hostname(ngx_stream_lua_request_t *r,
++        char **name, size_t *namelen, char **err);
++
+     int ngx_stream_lua_ffi_ssl_raw_client_addr(ngx_stream_lua_request_t *r,
+         char **addr, size_t *addrlen, int *addrtype, char **err);
+ 
+@@ -168,6 +176,7 @@ elseif subsystem == 'stream' then
+     ngx_lua_ffi_ssl_raw_server_addr = C.ngx_stream_lua_ffi_ssl_raw_server_addr
+     ngx_lua_ffi_ssl_server_port = C.ngx_stream_lua_ffi_ssl_server_port
+     ngx_lua_ffi_ssl_server_name = C.ngx_stream_lua_ffi_ssl_server_name
++    ngx_lua_ffi_ssl_session_hostname = C.ngx_stream_lua_ffi_ssl_session_hostname
+     ngx_lua_ffi_ssl_raw_client_addr = C.ngx_stream_lua_ffi_ssl_raw_client_addr
+     ngx_lua_ffi_cert_pem_to_der = C.ngx_stream_lua_ffi_cert_pem_to_der
+     ngx_lua_ffi_priv_key_pem_to_der = C.ngx_stream_lua_ffi_priv_key_pem_to_der
+@@ -299,6 +308,27 @@ function _M.server_name()
+ end
+ 
+ 
++function _M.session_hostname()
++    local r = get_request()
++    if not r then
++        error("no request found")
++    end
++
++    local sizep = get_size_ptr()
++
++    local rc = ngx_lua_ffi_ssl_session_hostname(r, charpp, sizep, errmsg)
++    if rc ~= FFI_OK then
++        return nil, ffi_str(errmsg[0])
++    end
++
++    if sizep[0] == 0 then
++        return nil
++    end
++
++    return ffi_str(charpp[0], sizep[0])
++end
++
++
+ function _M.raw_client_addr()
+     local r = get_request()
+     if not r then
diff --git a/patch/1.21.4/ngx_lua-ssl_session_hostname.patch b/patch/1.21.4/ngx_lua-ssl_session_hostname.patch
new file mode 100644
index 0000000..e83b412
--- /dev/null
+++ b/patch/1.21.4/ngx_lua-ssl_session_hostname.patch
@@ -0,0 +1,51 @@
+diff --git src/ngx_http_lua_ssl_certby.c src/ngx_http_lua_ssl_certby.c
+index b8e70dde..c3bfc790 100644
+--- src/ngx_http_lua_ssl_certby.c
++++ src/ngx_http_lua_ssl_certby.c
+@@ -870,6 +870,46 @@ ngx_http_lua_ffi_ssl_server_name(ngx_http_request_t *r, char **name,
+ }
+ 
+ 
++int
++ngx_http_lua_ffi_ssl_session_hostname(ngx_http_request_t *r, char **name,
++    size_t *namelen, char **err)
++{
++    ngx_ssl_conn_t          *ssl_conn;
++
++    if (r->connection == NULL || r->connection->ssl == NULL) {
++        *err = "bad request";
++        return NGX_ERROR;
++    }
++
++    ssl_conn = r->connection->ssl->connection;
++    if (ssl_conn == NULL) {
++        *err = "bad ssl conn";
++        return NGX_ERROR;
++    }
++
++#if (defined(TLS1_3_VERSION)                                                   \
++     && !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL))
++
++    /*
++     * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
++     * but servername being negotiated in every TLSv1.3 handshake
++     * is only returned in OpenSSL 1.1.1+ as well
++     */
++
++    *name = (char *) SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
++
++    if (*name) {
++        *namelen = ngx_strlen(*name);
++        return NGX_OK;
++    }
++#endif
++
++    *name = "";
++    *namelen = 0;
++    return NGX_OK;
++}
++
++
+ int
+ ngx_http_lua_ffi_ssl_server_port(ngx_http_request_t *r,
+     unsigned short *server_port, char **err)
diff --git a/patch/1.21.4/ngx_stream_lua-ssl_session_hostname.patch b/patch/1.21.4/ngx_stream_lua-ssl_session_hostname.patch
new file mode 100644
index 0000000..9e91666
--- /dev/null
+++ b/patch/1.21.4/ngx_stream_lua-ssl_session_hostname.patch
@@ -0,0 +1,51 @@
+diff --git src/ngx_stream_lua_ssl_certby.c src/ngx_stream_lua_ssl_certby.c
+index 7b4cc5b..3aa44bb 100644
+--- src/ngx_stream_lua_ssl_certby.c
++++ src/ngx_stream_lua_ssl_certby.c
+@@ -882,6 +882,46 @@ ngx_stream_lua_ffi_ssl_server_name(ngx_stream_lua_request_t *r, char **name,
+ }
+ 
+ 
++int
++ngx_stream_lua_ffi_ssl_session_hostname(ngx_stream_lua_request_t *r, char **name,
++    size_t *namelen, char **err)
++{
++    ngx_ssl_conn_t          *ssl_conn;
++
++    if (r->connection == NULL || r->connection->ssl == NULL) {
++        *err = "bad request";
++        return NGX_ERROR;
++    }
++
++    ssl_conn = r->connection->ssl->connection;
++    if (ssl_conn == NULL) {
++        *err = "bad ssl conn";
++        return NGX_ERROR;
++    }
++
++#if (defined(TLS1_3_VERSION)                                                   \
++     && !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL))
++
++    /*
++     * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
++     * but servername being negotiated in every TLSv1.3 handshake
++     * is only returned in OpenSSL 1.1.1+ as well
++     */
++
++    *name = (char *) SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
++
++    if (*name) {
++        *namelen = ngx_strlen(*name);
++        return NGX_OK;
++    }
++#endif
++
++    *name = "";
++    *namelen = 0;
++    return NGX_OK;
++}
++
++
+ int
+ ngx_stream_lua_ffi_ssl_server_port(ngx_stream_lua_request_t *r,
+     unsigned short *server_port, char **err)
diff --git a/patch/1.27.1.1/lua-resty-core-ssl_session_hostname.patch b/patch/1.27.1.1/lua-resty-core-ssl_session_hostname.patch
new file mode 100644
index 0000000..1ae2874
--- /dev/null
+++ b/patch/1.27.1.1/lua-resty-core-ssl_session_hostname.patch
@@ -0,0 +1,76 @@
+diff --git lib/ngx/ssl.lua lib/ngx/ssl.lua
+index b696bea..ff1f251 100644
+--- lib/ngx/ssl.lua
++++ lib/ngx/ssl.lua
+@@ -26,6 +26,7 @@ local ngx_lua_ffi_ssl_set_der_private_key
+ local ngx_lua_ffi_ssl_raw_server_addr
+ local ngx_lua_ffi_ssl_server_port
+ local ngx_lua_ffi_ssl_server_name
++local ngx_lua_ffi_ssl_session_hostname
+ local ngx_lua_ffi_ssl_raw_client_addr
+ local ngx_lua_ffi_cert_pem_to_der
+ local ngx_lua_ffi_priv_key_pem_to_der
+@@ -64,6 +65,9 @@ if subsystem == 'http' then
+     int ngx_http_lua_ffi_ssl_server_name(ngx_http_request_t *r, char **name,
+         size_t *namelen, char **err);
+ 
++    int ngx_http_lua_ffi_ssl_session_hostname(ngx_http_request_t *r, char **name,
++        size_t *namelen, char **err);
++
+     int ngx_http_lua_ffi_ssl_raw_client_addr(ngx_http_request_t *r, char **addr,
+         size_t *addrlen, int *addrtype, char **err);
+ 
+@@ -124,6 +128,7 @@ if subsystem == 'http' then
+     ngx_lua_ffi_ssl_raw_server_addr = C.ngx_http_lua_ffi_ssl_raw_server_addr
+     ngx_lua_ffi_ssl_server_port = C.ngx_http_lua_ffi_ssl_server_port
+     ngx_lua_ffi_ssl_server_name = C.ngx_http_lua_ffi_ssl_server_name
++    ngx_lua_ffi_ssl_session_hostname = C.ngx_http_lua_ffi_ssl_session_hostname
+     ngx_lua_ffi_ssl_raw_client_addr = C.ngx_http_lua_ffi_ssl_raw_client_addr
+     ngx_lua_ffi_cert_pem_to_der = C.ngx_http_lua_ffi_cert_pem_to_der
+     ngx_lua_ffi_priv_key_pem_to_der = C.ngx_http_lua_ffi_priv_key_pem_to_der
+@@ -164,6 +169,9 @@ elseif subsystem == 'stream' then
+     int ngx_stream_lua_ffi_ssl_server_name(ngx_stream_lua_request_t *r,
+         char **name, size_t *namelen, char **err);
+ 
++    int ngx_stream_lua_ffi_ssl_session_hostname(ngx_stream_lua_request_t *r,
++        char **name, size_t *namelen, char **err);
++
+     int ngx_stream_lua_ffi_ssl_raw_client_addr(ngx_stream_lua_request_t *r,
+         char **addr, size_t *addrlen, int *addrtype, char **err);
+ 
+@@ -212,6 +220,7 @@ elseif subsystem == 'stream' then
+     ngx_lua_ffi_ssl_raw_server_addr = C.ngx_stream_lua_ffi_ssl_raw_server_addr
+     ngx_lua_ffi_ssl_server_port = C.ngx_stream_lua_ffi_ssl_server_port
+     ngx_lua_ffi_ssl_server_name = C.ngx_stream_lua_ffi_ssl_server_name
++    ngx_lua_ffi_ssl_session_hostname = C.ngx_stream_lua_ffi_ssl_session_hostname
+     ngx_lua_ffi_ssl_raw_client_addr = C.ngx_stream_lua_ffi_ssl_raw_client_addr
+     ngx_lua_ffi_cert_pem_to_der = C.ngx_stream_lua_ffi_cert_pem_to_der
+     ngx_lua_ffi_priv_key_pem_to_der = C.ngx_stream_lua_ffi_priv_key_pem_to_der
+@@ -346,6 +355,27 @@ function _M.server_name()
+ end
+ 
+ 
++function _M.session_hostname()
++    local r = get_request()
++    if not r then
++        error("no request found")
++    end
++
++    local sizep = get_size_ptr()
++
++    local rc = ngx_lua_ffi_ssl_session_hostname(r, charpp, sizep, errmsg)
++    if rc ~= FFI_OK then
++        return nil, ffi_str(errmsg[0])
++    end
++
++    if sizep[0] == 0 then
++        return nil
++    end
++
++    return ffi_str(charpp[0], sizep[0])
++end
++
++
+ function _M.raw_client_addr()
+     local r = get_request()
+     if not r then
diff --git a/patch/1.27.1.1/ngx_lua-ssl_session_hostname.patch b/patch/1.27.1.1/ngx_lua-ssl_session_hostname.patch
new file mode 100644
index 0000000..7a0bc85
--- /dev/null
+++ b/patch/1.27.1.1/ngx_lua-ssl_session_hostname.patch
@@ -0,0 +1,51 @@
+diff --git src/ngx_http_lua_ssl_certby.c src/ngx_http_lua_ssl_certby.c
+index 72a651bd..7db28e10 100644
+--- src/ngx_http_lua_ssl_certby.c
++++ src/ngx_http_lua_ssl_certby.c
+@@ -870,6 +870,46 @@ ngx_http_lua_ffi_ssl_server_name(ngx_http_request_t *r, char **name,
+ }
+ 
+ 
++int
++ngx_http_lua_ffi_ssl_session_hostname(ngx_http_request_t *r, char **name,
++    size_t *namelen, char **err)
++{
++    ngx_ssl_conn_t          *ssl_conn;
++
++    if (r->connection == NULL || r->connection->ssl == NULL) {
++        *err = "bad request";
++        return NGX_ERROR;
++    }
++
++    ssl_conn = r->connection->ssl->connection;
++    if (ssl_conn == NULL) {
++        *err = "bad ssl conn";
++        return NGX_ERROR;
++    }
++
++#if (defined(TLS1_3_VERSION)                                                   \
++     && !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL))
++
++    /*
++     * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
++     * but servername being negotiated in every TLSv1.3 handshake
++     * is only returned in OpenSSL 1.1.1+ as well
++     */
++
++    *name = (char *) SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
++
++    if (*name) {
++        *namelen = ngx_strlen(*name);
++        return NGX_OK;
++    }
++#endif
++
++    *name = "";
++    *namelen = 0;
++    return NGX_OK;
++}
++
++
+ int
+ ngx_http_lua_ffi_ssl_server_port(ngx_http_request_t *r,
+     unsigned short *server_port, char **err)
diff --git a/patch/1.27.1.1/ngx_stream_lua-ssl_session_hostname.patch b/patch/1.27.1.1/ngx_stream_lua-ssl_session_hostname.patch
new file mode 100644
index 0000000..9adef70
--- /dev/null
+++ b/patch/1.27.1.1/ngx_stream_lua-ssl_session_hostname.patch
@@ -0,0 +1,51 @@
+diff --git src/ngx_stream_lua_ssl_certby.c src/ngx_stream_lua_ssl_certby.c
+index a34e187..0f65d82 100644
+--- src/ngx_stream_lua_ssl_certby.c
++++ src/ngx_stream_lua_ssl_certby.c
+@@ -884,6 +884,46 @@ ngx_stream_lua_ffi_ssl_server_name(ngx_stream_lua_request_t *r, char **name,
+ }
+ 
+ 
++int
++ngx_stream_lua_ffi_ssl_session_hostname(ngx_stream_lua_request_t *r, char **name,
++    size_t *namelen, char **err)
++{
++    ngx_ssl_conn_t          *ssl_conn;
++
++    if (r->connection == NULL || r->connection->ssl == NULL) {
++        *err = "bad request";
++        return NGX_ERROR;
++    }
++
++    ssl_conn = r->connection->ssl->connection;
++    if (ssl_conn == NULL) {
++        *err = "bad ssl conn";
++        return NGX_ERROR;
++    }
++
++#if (defined(TLS1_3_VERSION)                                                   \
++     && !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL))
++
++    /*
++     * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
++     * but servername being negotiated in every TLSv1.3 handshake
++     * is only returned in OpenSSL 1.1.1+ as well
++     */
++
++    *name = (char *) SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
++
++    if (*name) {
++        *namelen = ngx_strlen(*name);
++        return NGX_OK;
++    }
++#endif
++
++    *name = "";
++    *namelen = 0;
++    return NGX_OK;
++}
++
++
+ int
+ ngx_stream_lua_ffi_ssl_server_port(ngx_stream_lua_request_t *r,
+     unsigned short *server_port, char **err)