ssl: Sessions must be registered with SNI if exists

2 files changed, 67 insertions, 3 deletions

diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index 2fed7d864f..1775acb2b0 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -702,6 +702,7 @@ cipher(internal, #finished{verify_data = Data} = Finished,
 	      expecting_finished = true,
 	      session = #session{master_secret = MasterSecret}
 	      = Session0,
+              ssl_options = SslOpts,
 	      connection_states = ConnectionStates0,
 	      tls_handshake_history = Handshake0} = State, Connection) ->
     case ssl_handshake:verify_connection(ssl:tls_version(Version), Finished,
@@ -709,7 +710,7 @@ cipher(internal, #finished{verify_data = Data} = Finished,
 					 get_current_prf(ConnectionStates0, read),
 					 MasterSecret, Handshake0) of
         verified ->
-	    Session = register_session(Role, Host, Port, Session0),
+	    Session = register_session(Role, host_id(Role, Host, SslOpts), Port, Session0),
 	    cipher_role(Role, Data, Session, 
 			State#state{expecting_finished = false}, Connection);
         #alert{} = Alert ->
@@ -2098,6 +2099,11 @@ register_session(server, _, Port, #session{is_resumable = new} = Session0) ->
 register_session(_, _, _, Session) ->
     Session. %% Already registered
 
+host_id(client, _Host, #ssl_options{server_name_indication = Hostname}) when is_list(Hostname) ->
+    Hostname;
+host_id(_, Host, _) ->
+    Host.
+
 handle_new_session(NewId, CipherSuite, Compression, 
 		   #state{session = Session0,
 			  protocol_cb = Connection} = State0) ->
diff --git a/lib/ssl/test/ssl_sni_SUITE.erl b/lib/ssl/test/ssl_sni_SUITE.erl
index e080de95f6..13cb567110 100644
--- a/lib/ssl/test/ssl_sni_SUITE.erl
+++ b/lib/ssl/test/ssl_sni_SUITE.erl
@@ -60,7 +60,8 @@ sni_tests() ->
      sni_no_match_fun,
      dns_name,
      ip_fallback,
-     no_ip_fallback].
+     no_ip_fallback,
+     dns_name_reuse].
 
 init_per_suite(Config0) ->
     catch crypto:stop(),
@@ -87,6 +88,13 @@ end_per_suite(_) ->
     ssl:stop(),
     application:stop(crypto).
 
+init_per_testcase(TestCase, Config) when TestCase == ip_fallback;
+                                         TestCase == no_ip_fallback;
+                                         TestCase == dns_name_reuse ->
+    ssl_test_lib:ct_log_supported_protocol_versions(Config),
+    ct:log("Ciphers: ~p~n ", [ ssl:cipher_suites()]),
+    ct:timetrap({seconds, 20}),
+    Config;
 init_per_testcase(_TestCase, Config) ->
     ssl_test_lib:ct_log_supported_protocol_versions(Config),
     ct:log("Ciphers: ~p~n ", [ ssl:cipher_suites()]),
@@ -176,7 +184,57 @@ no_ip_fallback(Config) ->
     successfull_connect(ServerConf, [{verify, verify_peer} | ClientConf], Hostname, Config),
     unsuccessfull_connect(ServerConf, [{verify, verify_peer} | ClientConf], IP, Config).
  
-
+dns_name_reuse(Config) ->
+    SNIHostname = "OTP.test.server",
+    #{server_config := ServerConf,
+      client_config := ClientConf} = public_key:pkix_test_data(#{server_chain => 
+                                                                     #{root => [],
+                                                                       intermediates => [[]],
+                                                                       peer => [{extensions,  [#'Extension'{extnID = 
+                                                                                                                ?'id-ce-subjectAltName',
+                                                                                                            extnValue = [{dNSName, SNIHostname}],
+                                                                                                            critical = false}]}]},
+                                                                 client_chain => 
+                                                                     #{root => [],
+                                                                       intermediates => [[]],
+                                                                       peer => []}}),
+    
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+  
+    unsuccessfull_connect(ServerConf, [{verify, verify_peer} | ClientConf], undefined, Config),
+    
+    Server = 
+	ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 
+				   {from, self()},
+				   {mfa, {ssl_test_lib, session_info_result, []}},
+				   {options, ServerConf}]),
+    Port = ssl_test_lib:inet_port(Server),
+    Client0 =
+	ssl_test_lib:start_client([{node, ClientNode}, 
+                                   {port, Port}, {host, Hostname},
+				   {mfa, {ssl_test_lib, no_result, []}},
+                                   {from, self()}, {options, [{verify, verify_peer}, 
+                                                              {server_name_indication, SNIHostname} | ClientConf]}]),   
+    SessionInfo = 
+        receive
+	    {Server, Info} ->
+		Info
+	end,
+    
+    Server ! {listen, {mfa, {ssl_test_lib, no_result, []}}},
+    
+    %% Make sure session is registered
+    ct:sleep(1000),
+    
+    Client1 =
+	ssl_test_lib:start_client_error([{node, ClientNode},
+                                         {port, Port}, {host, Hostname},
+                                         {mfa, {ssl_test_lib, session_info_result, []}},
+                                         {from, self()},  {options, [{verify, verify_peer} | ClientConf]}]),
+    
+    ssl_test_lib:check_result(Server, {error, {tls_alert, "handshake failure"}},
+                              Client1, {error, {tls_alert, "handshake failure"}}),
+    ssl_test_lib:close(Client0).
 %%--------------------------------------------------------------------
 %% Internal Functions ------------------------------------------------
 %%--------------------------------------------------------------------