Fix TLS 1.3 session resumption to preserve SNI extension

gasbytes · gasbytes · commit fd143de8bb95 · 2025-02-27T13:22:20.000+01:00
diff --git a/src/java/com/wolfssl/provider/jsse/WolfSSLAuthStore.java b/src/java/com/wolfssl/provider/jsse/WolfSSLAuthStore.java
@@ -27,6 +27,8 @@
 import com.wolfssl.WolfSSLSession;
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SNIHostName;
+import javax.net.ssl.SNIServerName;
 import javax.net.ssl.X509KeyManager;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.X509TrustManager;
@@ -399,6 +401,25 @@ else if (!sessionCipherSuiteAvailable(
 
                 ses.isFromTable = true;
 
+                /* Check if the session has stored SNI server names */
+                List<SNIServerName> sniNames = ses.getSNIServerNames();
+                if (sniNames != null && !sniNames.isEmpty()) {
+                    WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                            "Found SNI server names in cached session");
+
+                    /* Apply SNI settings to the SSL connection */
+                    for (SNIServerName name : sniNames) {
+                        if (name instanceof SNIHostName) {
+                            String hostName = ((SNIHostName)name).getAsciiName();
+                            WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                                    "Applying SNI hostname for resumption: " + hostName);
+
+                            /* Set the SNI directly on the SSL object */
+                            ssl.useSNI((byte)WolfSSL.WOLFSSL_SNI_HOST_NAME, hostName.getBytes());
+                        }
+                    }
+                }
+
                 if (ses.resume(ssl) != WolfSSL.SSL_SUCCESS) {
                     WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
                         "native wolfSSL_set_session() failed, " +
diff --git a/src/java/com/wolfssl/provider/jsse/WolfSSLEngine.java b/src/java/com/wolfssl/provider/jsse/WolfSSLEngine.java
@@ -2073,6 +2073,17 @@ public synchronized void setSSLParameters(SSLParameters params) {
             "entered setSSLParameters()");
         if (params != null) {
             WolfSSLParametersHelper.importParams(params, this.params);
+
+            /* Store SNI server names in the session for potential resumption */
+            if (params.getServerNames() != null && !params.getServerNames().isEmpty()) {
+                WolfSSLImplementSSLSession session =
+                    (WolfSSLImplementSSLSession)this.getSession();
+                if (session != null) {
+                    session.setSNIServerNames(params.getServerNames());
+                    WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                            "Captured SNI server names for session caching");
+                }
+            }
         }
     }
 
diff --git a/src/java/com/wolfssl/provider/jsse/WolfSSLImplementSSLSession.java b/src/java/com/wolfssl/provider/jsse/WolfSSLImplementSSLSession.java
@@ -115,6 +115,31 @@ public class WolfSSLImplementSSLSession extends ExtendedSSLSession
      * in resumption cases. */
     private static final Object sesPtrLock = new Object();
 
+    /**
+     * Stored SNI server names from original session, used during resumption
+     */
+    private List<SNIServerName> sniServerNames = null;
+
+    /**
+     * Store SNI server names for this session for later resumption
+     * @param serverNames list of SNI server names to store
+     */
+    public synchronized void setSNIServerNames(List<SNIServerName> serverNames) {
+        if (serverNames != null && !serverNames.isEmpty()) {
+            this.sniServerNames = new ArrayList<>(serverNames);
+            WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                    "Stored SNI server names for session resumption");
+        }
+    }
+
+    /**
+     * Get stored SNI server names for this session
+     * @return list of stored SNI server names, may be null
+     */
+    public synchronized List<SNIServerName> getSNIServerNames() {
+        return this.sniServerNames;
+    }
+
     /**
      * Create new WolfSSLImplementSSLSession
      *
@@ -846,13 +871,27 @@ protected synchronized void setResume() {
      * Update internally-stored session values.
      */
     protected synchronized void updateStoredSessionValues() {
-
         try {
             this.protocol = this.ssl.getVersion();
         } catch (IllegalStateException | WolfSSLJNIException ex) {
             WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
                 "Not able to update stored WOLFSSL protocol");
         }
+
+        /* Also store SNI server names if not already set */
+        if (this.sniServerNames == null || this.sniServerNames.isEmpty()) {
+            try {
+                List<SNIServerName> names = this.getRequestedServerNames();
+                if (names != null && !names.isEmpty()) {
+                    this.sniServerNames = new ArrayList<>(names);
+                    WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                            "Extracted SNI server names from session");
+                }
+            } catch (UnsupportedOperationException ex) {
+                WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                        "Error extracting SNI server names: " + ex.getMessage());
+            }
+        }
     }
 
     /**
