From cae5ef38fbf5d3cd6088bb143ca3bd6f07e13173 Mon Sep 17 00:00:00 2001
From: Benno Evers <benno@bourbaki>
Date: Fri, 3 Feb 2023 14:10:47 +0100
Subject: [PATCH] Send SNI information when connecting via TLS

---
 libcaf_openssl/caf/openssl/session.hpp         | 3 ++-
 libcaf_openssl/src/openssl/middleman_actor.cpp | 4 ++--
 libcaf_openssl/src/openssl/session.cpp         | 6 ++++--
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/libcaf_openssl/caf/openssl/session.hpp b/libcaf_openssl/caf/openssl/session.hpp
index 18b27be864..830afaf9de 100644
--- a/libcaf_openssl/caf/openssl/session.hpp
+++ b/libcaf_openssl/caf/openssl/session.hpp
@@ -41,7 +41,7 @@ class CAF_OPENSSL_EXPORT session {
   rw_state read_some(size_t& result, native_socket fd, void* buf, size_t len);
   rw_state
   write_some(size_t& result, native_socket fd, const void* buf, size_t len);
-  bool try_connect(native_socket fd);
+  bool try_connect(native_socket fd, const std::string& sni_servername);
   bool try_accept(native_socket fd);
 
   bool must_read_more(native_socket, size_t threshold);
@@ -68,6 +68,7 @@ using session_ptr = std::unique_ptr<session>;
 
 /// @relates session
 CAF_OPENSSL_EXPORT session_ptr make_session(actor_system& sys, native_socket fd,
+                                            const std::string& servername,
                                             bool from_accepted_socket);
 
 } // namespace caf::openssl
diff --git a/libcaf_openssl/src/openssl/middleman_actor.cpp b/libcaf_openssl/src/openssl/middleman_actor.cpp
index 732ca6e941..4c6bb4377e 100644
--- a/libcaf_openssl/src/openssl/middleman_actor.cpp
+++ b/libcaf_openssl/src/openssl/middleman_actor.cpp
@@ -213,7 +213,7 @@ class doorman_impl : public io::network::doorman_impl {
     auto fd = acceptor_.accepted_socket();
     detail::socket_guard sguard{fd};
     io::network::nonblocking(fd, true);
-    auto sssn = make_session(parent()->system(), fd, true);
+    auto sssn = make_session(parent()->system(), fd, "", true);
     if (sssn == nullptr) {
       CAF_LOG_ERROR("Unable to create SSL session for accepted socket");
       return false;
@@ -245,7 +245,7 @@ class middleman_actor_impl : public io::middleman_actor_impl {
     if (!fd)
       return std::move(fd.error());
     io::network::nonblocking(*fd, true);
-    auto sssn = make_session(system(), *fd, false);
+    auto sssn = make_session(system(), *fd, host, false);
     if (!sssn) {
       CAF_LOG_ERROR("Unable to create SSL session for connection");
       return sec::cannot_connect_to_node;
diff --git a/libcaf_openssl/src/openssl/session.cpp b/libcaf_openssl/src/openssl/session.cpp
index 728b584a8f..dcdfb34c13 100644
--- a/libcaf_openssl/src/openssl/session.cpp
+++ b/libcaf_openssl/src/openssl/session.cpp
@@ -154,11 +154,12 @@ rw_state session::write_some(size_t& result, native_socket, const void* buf,
   return do_some(wr_fun, result, const_cast<void*>(buf), len, "write_some");
 }
 
-bool session::try_connect(native_socket fd) {
+bool session::try_connect(native_socket fd, const std::string& sni_servername) {
   CAF_LOG_TRACE(CAF_ARG(fd));
   CAF_BLOCK_SIGPIPE();
   SSL_set_fd(ssl_, fd);
   SSL_set_connect_state(ssl_);
+  SSL_set_tlsext_host_name(ssl_, sni_servername.c_str());
   auto ret = SSL_connect(ssl_);
   if (ret == 1)
     return true;
@@ -285,6 +286,7 @@ bool session::handle_ssl_result(int ret) {
 }
 
 session_ptr make_session(actor_system& sys, native_socket fd,
+                         const std::string& servername,
                          bool from_accepted_socket) {
   session_ptr ptr{new session(sys)};
   if (!ptr->init())
@@ -293,7 +295,7 @@ session_ptr make_session(actor_system& sys, native_socket fd,
     if (!ptr->try_accept(fd))
       return nullptr;
   } else {
-    if (!ptr->try_connect(fd))
+    if (!ptr->try_connect(fd, servername))
       return nullptr;
   }
   return ptr;