apache · shinrich · Apr 23, 2020 · Apr 22, 2020
diff --git a/plugins/experimental/traffic_dump/traffic_dump.cc b/plugins/experimental/traffic_dump/traffic_dump.cc
@@ -616,10 +616,16 @@ global_ssn_handler(TSCont contp, TSEvent event, void *edata)
         TSDebug(PLUGIN_NAME, "global_ssn_handler(): Ignore non-HTTPS session %" PRId64 "...", id);
         break;
       }
-      const std::string sni = SSL_get_servername(ssl_obj, TLSEXT_NAMETYPE_host_name);
-      if (sni != sni_filter) {
-        TSDebug(PLUGIN_NAME, "global_ssn_handler(): Ignore HTTPS session with non-filtered SNI: %s", sni.c_str());
+      const char *sni_ptr = SSL_get_servername(ssl_obj, TLSEXT_NAMETYPE_host_name);
+      if (sni_ptr == nullptr) {
+        TSDebug(PLUGIN_NAME, "global_ssn_handler(): Ignore HTTPS session with non-existent SNI.");
         break;
+      } else {
+        const std::string sni{sni_ptr};
+        if (sni != sni_filter) {
+          TSDebug(PLUGIN_NAME, "global_ssn_handler(): Ignore HTTPS session with non-filtered SNI: %s", sni.c_str());
+          break;
+        }
       }
     }
     const auto this_session_count = session_counter++;

diff --git a/tests/gold_tests/pluginTest/traffic_dump/gold/200_bob_no_sni.gold b/tests/gold_tests/pluginTest/traffic_dump/gold/200_bob_no_sni.gold
@@ -0,0 +1,7 @@
+``
+> GET / HTTP/2
+> Host: bob--cert
+``
+< HTTP/2 200 
+< content-length: 0
+``
diff --git a/tests/gold_tests/pluginTest/traffic_dump/traffic_dump_sni_filter.test.py b/tests/gold_tests/pluginTest/traffic_dump/traffic_dump_sni_filter.test.py
@@ -102,12 +102,17 @@
 replay_file_session_2 = os.path.join(replay_dir, "127", "0000000000000001")
 ts.Disk.File(replay_file_session_2, exists=False)
 
+# The third session should also be filtered out because it doesn't have any
+# SNI (note exists is set to False).
+replay_file_session_2 = os.path.join(replay_dir, "127", "0000000000000002")
+ts.Disk.File(replay_file_session_2, exists=False)
+
 #
 # Test 1: Verify dumping a session with the desired SNI and not dumping
 #         the session with the other SNI.
 #
 
-# Execute the first transaction.
+# Execute the first transaction with an SNI of bob.
 tr = Test.AddTestRun("Verify dumping of a session with the filtered SNI")
 tr.Setup.Copy("ssl/signed-foo.pem")
 tr.Setup.Copy("ssl/signed-foo.key")
@@ -121,7 +126,7 @@
 tr.StillRunningAfter = server
 tr.StillRunningAfter = ts
 
-# Execute the second transaction.
+# Execute the second transaction with an SNI of dave.
 tr = Test.AddTestRun("Verify that a session of a different SNI is not dumped.")
 tr.Processes.Default.Command = \
         ('curl --tls-max 1.2 -k -H"Host: dave" --resolve "dave:{0}:127.0.0.1" '
@@ -131,6 +136,16 @@
 tr.StillRunningAfter = server
 tr.StillRunningAfter = ts
 
+# Execute the third transaction without any SNI.
+tr = Test.AddTestRun("Verify that a session of a non-existent SNI is not dumped.")
+tr.Processes.Default.Command = \
+        ('curl --tls-max 1.2 -k -H"Host: bob"'
+         '--cert ./signed-foo.pem --key ./signed-foo.key --verbose https://127.0.0.1:{0}'.format(ts.Variables.ssl_port))
+tr.Processes.Default.ReturnCode = 0
+tr.Processes.Default.Streams.stderr = "gold/200_bob_no_sni.gold"
+tr.StillRunningAfter = server
+tr.StillRunningAfter = ts
+
 # Verify the properties of the replay file for the dumped transaction.
 tr = Test.AddTestRun("Verify the json content of the first session")
 verify_replay = "verify_replay.py"