SERVER-50736 Make OpenSSL explicitly accept SNIs

1 files changed, 14 insertions, 0 deletions

diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp
index 1e10dd2ed9b..f72ab141114 100644
--- a/src/mongo/util/net/ssl_manager_openssl.cpp
+++ b/src/mongo/util/net/ssl_manager_openssl.cpp
@@ -1336,6 +1336,7 @@ private:
      * Callbacks for SSL functions.
      */
     static int password_cb(char* buf, int num, int rwflag, void* userdata);
+    static int servername_cb(SSL* s, int* al, void* arg);
     static int verify_cb(int ok, X509_STORE_CTX* ctx);
 };
 
@@ -1525,6 +1526,12 @@ int SSLManagerOpenSSL::password_cb(char* buf, int num, int rwflag, void* userdat
     return copyCount;
 }
 
+int SSLManagerOpenSSL::servername_cb(SSL* s, int* al, void* arg) {
+    // Unconditionally accept the SNI presented by the client. This will ensure that if the client
+    // later performs session resumption, subsequent connections will still have access to the SNI.
+    return SSL_TLSEXT_ERR_OK;
+}
+
 int SSLManagerOpenSSL::verify_cb(int ok, X509_STORE_CTX* ctx) {
     return 1;  // always succeed; we will catch the error in our get_verify_result() call
 }
@@ -2088,6 +2095,13 @@ Status SSLManagerOpenSSL::initSSLContext(SSL_CTX* context,
                                     << getSSLErrorMessage(ERR_get_error()));
     }
 
+    // We should accept all SNI extensions advertised by clients
+    if (1 != SSL_CTX_set_tlsext_servername_callback(context, &SSLManagerOpenSSL::servername_cb)) {
+        return Status(ErrorCodes::InvalidSSLConfiguration,
+                      str::stream() << "Can not set servername callback: "
+                                    << getSSLErrorMessage(ERR_get_error()));
+    }
+
     if (direction == ConnectionDirection::kOutgoing && params.tlsWithholdClientCertificate) {
         // Do not send a client certificate if they have been suppressed.