Skip to content

Commit 5b8233a

Browse files
bjoribjori
committed
CDRIVER-2153 Add SNI support for the mock server
1 parent d58d7a8 commit 5b8233a

File tree

1 file changed

+36
-6
lines changed

1 file changed

+36
-6
lines changed

src/mongoc/mongoc-stream-tls-openssl.c

Lines changed: 36 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -557,12 +557,6 @@ mongoc_stream_tls_openssl_handshake (mongoc_stream_t *stream,
557557

558558
BIO_get_ssl (openssl->bio, &ssl);
559559

560-
/* Added in OpenSSL 0.9.8f, as a build time option */
561-
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
562-
/* Set the SNI hostname we are expecting certificate for */
563-
SSL_set_tlsext_host_name (ssl, host);
564-
#endif
565-
566560
if (BIO_do_handshake (openssl->bio) == 1) {
567561
if (_mongoc_openssl_check_cert (
568562
ssl, host, tls->ssl_opts.allow_invalid_hostname)) {
@@ -602,6 +596,25 @@ mongoc_stream_tls_openssl_handshake (mongoc_stream_t *stream,
602596
RETURN (false);
603597
}
604598

599+
/* Callback to get the client provided SNI, if any
600+
* It is only called in SSL "server mode" (e.g. when using the Mock Server),
601+
* and we don't actually use the hostname for anything, just debug print it
602+
*/
603+
static int
604+
_mongoc_stream_tls_openssl_sni (SSL *ssl, int *ad, void *arg)
605+
{
606+
const char *hostname;
607+
608+
if (ssl == NULL) {
609+
MONGOC_DEBUG ("No SNI hostname provided");
610+
return SSL_TLSEXT_ERR_NOACK;
611+
}
612+
613+
hostname = SSL_get_servername (ssl, TLSEXT_NAMETYPE_host_name);
614+
MONGOC_DEBUG ("Got SNI: '%s'", hostname);
615+
616+
return SSL_TLSEXT_ERR_OK;
617+
}
605618

606619
/*
607620
*--------------------------------------------------------------------------
@@ -667,6 +680,13 @@ mongoc_stream_tls_openssl_new (mongoc_stream_t *base_stream,
667680
}
668681
#endif
669682

683+
if (!client) {
684+
/* Only usd by the Mock Server.
685+
* Set a callback to get the SNI, if provided */
686+
SSL_CTX_set_tlsext_servername_callback (ssl_ctx,
687+
_mongoc_stream_tls_openssl_sni);
688+
}
689+
670690
if (opt->weak_cert_validation) {
671691
SSL_CTX_set_verify (ssl_ctx, SSL_VERIFY_NONE, NULL);
672692
} else {
@@ -686,6 +706,16 @@ mongoc_stream_tls_openssl_new (mongoc_stream_t *base_stream,
686706
RETURN (NULL);
687707
}
688708

709+
/* Added in OpenSSL 0.9.8f, as a build time option */
710+
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
711+
if (client) {
712+
SSL *ssl;
713+
/* Set the SNI hostname we are expecting certificate for */
714+
BIO_get_ssl (bio_ssl, &ssl);
715+
SSL_set_tlsext_host_name (ssl, host);
716+
#endif
717+
}
718+
689719

690720
BIO_push (bio_ssl, bio_mongoc_shim);
691721

0 commit comments

Comments
 (0)