Merge pull request #255 from gasbytes/ResumeTLS13withSNI-patch

Fix TLS 1.3 session resumption to preserve SNI extension
2025-03-12 10:23:19 -06:00 · 2025-03-12 10:23:19 -06:00 · 95bedabeb2
parent ad23ac20e9 fd143de8bb
commit 95bedabeb2
3 changed files with 72 additions and 1 deletions
--- a/src/java/com/wolfssl/provider/jsse/WolfSSLAuthStore.java
+++ b/src/java/com/wolfssl/provider/jsse/WolfSSLAuthStore.java
@ -27,6 +27,8 @@ import com.wolfssl.WolfSSL.TLS_VERSION;
 import com.wolfssl.WolfSSLSession;
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SNIHostName;
+import javax.net.ssl.SNIServerName;
 import javax.net.ssl.X509KeyManager;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.X509TrustManager;
@ -399,6 +401,25 @@ public class WolfSSLAuthStore {

                ses.isFromTable = true;

+                /* Check if the session has stored SNI server names */
+                List<SNIServerName> sniNames = ses.getSNIServerNames();
+                if (sniNames != null && !sniNames.isEmpty()) {
+                    WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                            "Found SNI server names in cached session");
+
+                    /* Apply SNI settings to the SSL connection */
+                    for (SNIServerName name : sniNames) {
+                        if (name instanceof SNIHostName) {
+                            String hostName = ((SNIHostName)name).getAsciiName();
+                            WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                                    "Applying SNI hostname for resumption: " + hostName);
+
+                            /* Set the SNI directly on the SSL object */
+                            ssl.useSNI((byte)WolfSSL.WOLFSSL_SNI_HOST_NAME, hostName.getBytes());
+                        }
+                    }
+                }
+
                if (ses.resume(ssl) != WolfSSL.SSL_SUCCESS) {
                    WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
                        "native wolfSSL_set_session() failed, " +
--- a/src/java/com/wolfssl/provider/jsse/WolfSSLEngine.java
+++ b/src/java/com/wolfssl/provider/jsse/WolfSSLEngine.java
@ -2073,6 +2073,17 @@ public class WolfSSLEngine extends SSLEngine {
            "entered setSSLParameters()");
        if (params != null) {
            WolfSSLParametersHelper.importParams(params, this.params);
+
+            /* Store SNI server names in the session for potential resumption */
+            if (params.getServerNames() != null && !params.getServerNames().isEmpty()) {
+                WolfSSLImplementSSLSession session =
+                    (WolfSSLImplementSSLSession)this.getSession();
+                if (session != null) {
+                    session.setSNIServerNames(params.getServerNames());
+                    WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                            "Captured SNI server names for session caching");
+                }
+            }
        }
    }

--- a/src/java/com/wolfssl/provider/jsse/WolfSSLImplementSSLSession.java
+++ b/src/java/com/wolfssl/provider/jsse/WolfSSLImplementSSLSession.java
@ -115,6 +115,31 @@ public class WolfSSLImplementSSLSession extends ExtendedSSLSession
     * in resumption cases. */
    private static final Object sesPtrLock = new Object();

+    /**
+     * Stored SNI server names from original session, used during resumption
+     */
+    private List<SNIServerName> sniServerNames = null;
+
+    /**
+     * Store SNI server names for this session for later resumption
+     * @param serverNames list of SNI server names to store
+     */
+    public synchronized void setSNIServerNames(List<SNIServerName> serverNames) {
+        if (serverNames != null && !serverNames.isEmpty()) {
+            this.sniServerNames = new ArrayList<>(serverNames);
+            WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                    "Stored SNI server names for session resumption");
+        }
+    }
+
+    /**
+     * Get stored SNI server names for this session
+     * @return list of stored SNI server names, may be null
+     */
+    public synchronized List<SNIServerName> getSNIServerNames() {
+        return this.sniServerNames;
+    }
+
    /**
     * Create new WolfSSLImplementSSLSession
     *
@ -846,13 +871,27 @@ public class WolfSSLImplementSSLSession extends ExtendedSSLSession
     * Update internally-stored session values.
     */
    protected synchronized void updateStoredSessionValues() {
-
        try {
            this.protocol = this.ssl.getVersion();
        } catch (IllegalStateException | WolfSSLJNIException ex) {
            WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
                "Not able to update stored WOLFSSL protocol");
        }
+
+        /* Also store SNI server names if not already set */
+        if (this.sniServerNames == null || this.sniServerNames.isEmpty()) {
+            try {
+                List<SNIServerName> names = this.getRequestedServerNames();
+                if (names != null && !names.isEmpty()) {
+                    this.sniServerNames = new ArrayList<>(names);
+                    WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                            "Extracted SNI server names from session");
+                }
+            } catch (UnsupportedOperationException ex) {
+                WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                        "Error extracting SNI server names: " + ex.getMessage());
+            }
+        }
    }

    /**