diff --git a/plugins/experimental/traffic_dump/traffic_dump.cc b/plugins/experimental/traffic_dump/traffic_dump.cc index 34ca15d8e74..938d640bf2d 100644 --- a/plugins/experimental/traffic_dump/traffic_dump.cc +++ b/plugins/experimental/traffic_dump/traffic_dump.cc @@ -616,10 +616,16 @@ global_ssn_handler(TSCont contp, TSEvent event, void *edata) TSDebug(PLUGIN_NAME, "global_ssn_handler(): Ignore non-HTTPS session %" PRId64 "...", id); break; } - const std::string sni = SSL_get_servername(ssl_obj, TLSEXT_NAMETYPE_host_name); - if (sni != sni_filter) { - TSDebug(PLUGIN_NAME, "global_ssn_handler(): Ignore HTTPS session with non-filtered SNI: %s", sni.c_str()); + const char *sni_ptr = SSL_get_servername(ssl_obj, TLSEXT_NAMETYPE_host_name); + if (sni_ptr == nullptr) { + TSDebug(PLUGIN_NAME, "global_ssn_handler(): Ignore HTTPS session with non-existent SNI."); break; + } else { + const std::string sni{sni_ptr}; + if (sni != sni_filter) { + TSDebug(PLUGIN_NAME, "global_ssn_handler(): Ignore HTTPS session with non-filtered SNI: %s", sni.c_str()); + break; + } } } const auto this_session_count = session_counter++; diff --git a/tests/gold_tests/pluginTest/traffic_dump/gold/200_bob_no_sni.gold b/tests/gold_tests/pluginTest/traffic_dump/gold/200_bob_no_sni.gold new file mode 100644 index 00000000000..9638e10bd27 --- /dev/null +++ b/tests/gold_tests/pluginTest/traffic_dump/gold/200_bob_no_sni.gold @@ -0,0 +1,7 @@ +`` +> GET / HTTP/2 +> Host: bob--cert +`` +< HTTP/2 200 +< content-length: 0 +`` diff --git a/tests/gold_tests/pluginTest/traffic_dump/traffic_dump_sni_filter.test.py b/tests/gold_tests/pluginTest/traffic_dump/traffic_dump_sni_filter.test.py index 9b020659dfd..ff656d525f8 100644 --- a/tests/gold_tests/pluginTest/traffic_dump/traffic_dump_sni_filter.test.py +++ b/tests/gold_tests/pluginTest/traffic_dump/traffic_dump_sni_filter.test.py @@ -102,12 +102,17 @@ replay_file_session_2 = os.path.join(replay_dir, "127", "0000000000000001") ts.Disk.File(replay_file_session_2, exists=False) +# The third session should also be filtered out because it doesn't have any +# SNI (note exists is set to False). +replay_file_session_2 = os.path.join(replay_dir, "127", "0000000000000002") +ts.Disk.File(replay_file_session_2, exists=False) + # # Test 1: Verify dumping a session with the desired SNI and not dumping # the session with the other SNI. # -# Execute the first transaction. +# Execute the first transaction with an SNI of bob. tr = Test.AddTestRun("Verify dumping of a session with the filtered SNI") tr.Setup.Copy("ssl/signed-foo.pem") tr.Setup.Copy("ssl/signed-foo.key") @@ -121,7 +126,7 @@ tr.StillRunningAfter = server tr.StillRunningAfter = ts -# Execute the second transaction. +# Execute the second transaction with an SNI of dave. tr = Test.AddTestRun("Verify that a session of a different SNI is not dumped.") tr.Processes.Default.Command = \ ('curl --tls-max 1.2 -k -H"Host: dave" --resolve "dave:{0}:127.0.0.1" ' @@ -131,6 +136,16 @@ tr.StillRunningAfter = server tr.StillRunningAfter = ts +# Execute the third transaction without any SNI. +tr = Test.AddTestRun("Verify that a session of a non-existent SNI is not dumped.") +tr.Processes.Default.Command = \ + ('curl --tls-max 1.2 -k -H"Host: bob"' + '--cert ./signed-foo.pem --key ./signed-foo.key --verbose https://127.0.0.1:{0}'.format(ts.Variables.ssl_port)) +tr.Processes.Default.ReturnCode = 0 +tr.Processes.Default.Streams.stderr = "gold/200_bob_no_sni.gold" +tr.StillRunningAfter = server +tr.StillRunningAfter = ts + # Verify the properties of the replay file for the dumped transaction. tr = Test.AddTestRun("Verify the json content of the first session") verify_replay = "verify_replay.py"