Set the SNI value from the TLS inspector server name if it isn't avai…

…lable on the connection/socket. Signed-off-by: Marc Barry <4965634+marc-barry@users.noreply.github.com>
envoyproxy · May 12, 2024 · 4496677 · 4496677
1 parent 4b0495b
commit 4496677
Showing 1 changed file with 19 additions and 4 deletions.
diff --git a/source/extensions/filters/common/ext_authz/check_request_utils.cc b/source/extensions/filters/common/ext_authz/check_request_utils.cc
@@ -248,8 +248,15 @@ void CheckRequestUtils::createHttpCheck(
                         cb->decodingBuffer(), headers, max_request_bytes, pack_as_bytes,
                         encode_raw_headers, request_header_matchers);
 
-  if (include_tls_session && cb->connection()->ssl() != nullptr) {
-    setTLSSession(*attrs->mutable_tls_session(), cb->connection()->ssl());
+  if (include_tls_session) {
+    // Try to get the SNI from the TLS session. If not available there then try the
+    // data from the TLS inspector (i.e. the server name)
+    if (cb->connection()->ssl() != nullptr) {
+      setTLSSession(*attrs->mutable_tls_session(), cb->connection()->ssl());
+    } else if (!cb->connection()->requestedServerName().empty()) {
+      std::string sni{b->connection()->requestedServerName()};
+      attrs->mutable_tls_session()->set_sni(sni);
+    }
   }
   (*attrs->mutable_destination()->mutable_labels()) = destination_labels;
   // Fill in the context extensions and metadata context.
@@ -272,8 +279,16 @@ void CheckRequestUtils::createTcpCheck(
                      include_peer_certificate);
   setAttrContextPeer(*attrs->mutable_destination(), cb->connection(), server_name, true,
                      include_peer_certificate);
-  if (include_tls_session && cb->connection().ssl() != nullptr) {
-    setTLSSession(*attrs->mutable_tls_session(), cb->connection().ssl());
+
+  // Try to get the SNI from the TLS session. If not available there then try the
+  // data from the TLS inspector (i.e. the server name)
+  if (include_tls_session) {
+    if (cb->connection()->ssl() != nullptr) {
+      setTLSSession(*attrs->mutable_tls_session(), cb->connection()->ssl());
+    } else if (!cb->connection()->requestedServerName().empty()) {
+      std::string sni{b->connection()->requestedServerName()};
+      attrs->mutable_tls_session()->set_sni(sni);
+    }
   }
   (*attrs->mutable_destination()->mutable_labels()) = destination_labels;
 }