Check sni against SSL object (#6656)

Co-authored-by: Susan Hinrichs <shinrich@verizonmedia.com>
(cherry picked from commit 1f6a6fd)

Author: shinrich

iocore/net/I_NetVConnection.h

@@ -649,6 +649,12 @@ class NetVConnection : public VConnection, public PluginUserArgs<TS_USER_ARGS_VC
     return false;
   }
 
+  virtual const char *
+  get_sni_servername() const
+  {
+    return nullptr;
+  }
+
   /** Structure holding user options. */
   NetVCOptions options;
 

iocore/net/P_SSLNetVConnection.h

@@ -454,6 +454,12 @@ class SSLNetVConnection : public UnixNetVConnection, public ALPNSupport
     verify_cert = ctx;
   }
 
+  const char *
+  get_sni_servername() const override
+  {
+    return SSL_get_servername(this->ssl, TLSEXT_NAMETYPE_host_name);
+  }
+
 private:
   std::string_view map_tls_protocol_to_tag(const char *proto_string) const;
   bool update_rbio(bool move_to_socket);

proxy/http/HttpSessionManager.cc

@@ -85,7 +85,7 @@ ServerSessionPool::validate_host_sni(HttpSM *sm, NetVConnection *netvc)
     // by fetching the hostname from the server request.  So the connection should only
     // be reused if the hostname in the new request is the same as the host name in the
     // original request
-    const char *session_sni = netvc->options.sni_servername;
+    const char *session_sni = netvc->get_sni_servername();
     if (session_sni) {
       // TS-4468: If the connection matches, make sure the SNI server
       // name (if present) matches the request hostname
@@ -106,7 +106,7 @@ ServerSessionPool::validate_sni(HttpSM *sm, NetVConnection *netvc)
   // a new connection.
   //
   if (sm->t_state.scheme == URL_WKSIDX_HTTPS) {
-    const char *session_sni       = netvc->options.sni_servername;
+    const char *session_sni       = netvc->get_sni_servername();
     std::string_view proposed_sni = sm->get_outbound_sni();
     Debug("http_ss", "validate_sni proposed_sni=%s, sni=%s", proposed_sni.data(), session_sni);
     if (!session_sni || proposed_sni.length() == 0) {