From bff628697a6a21b627ff9f9e5f3962de6b627380 Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Tue, 1 Feb 2022 11:50:51 +0100
Subject: [PATCH] dnsdist: Add regression tests for outgoing SNI

---
 regression-tests.dnsdist/test_OutgoingDOH.py | 8 ++++++++
 regression-tests.dnsdist/test_OutgoingTLS.py | 8 ++++++++
 2 files changed, 16 insertions(+)

diff --git a/regression-tests.dnsdist/test_OutgoingDOH.py b/regression-tests.dnsdist/test_OutgoingDOH.py
index 217c885fef..55c7ba57ca 100644
--- a/regression-tests.dnsdist/test_OutgoingDOH.py
+++ b/regression-tests.dnsdist/test_OutgoingDOH.py
@@ -283,11 +283,19 @@ class TestOutgoingDOHOpenSSL(DNSDistTest, OutgoingDOHTests):
     addAction(SuffixMatchNodeRule(smn), PoolAction('cache'))
     """
 
+    @staticmethod
+    def sniCallback(sslSocket, sni, sslContext):
+        assert(sni == 'powerdns.com')
+        return None
+
     @classmethod
     def startResponders(cls):
         tlsContext = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
         tlsContext.set_alpn_protocols(["h2"])
         tlsContext.load_cert_chain('server.chain', 'server.key')
+        # requires Python 3.7+
+        if hasattr(tlsContext, 'sni_callback'):
+            tlsContext.sni_callback = cls.sniCallback
 
         print("Launching DOH responder..")
         cls._DOHResponder = threading.Thread(name='DOH Responder', target=cls.DOHResponder, args=[cls._tlsBackendPort, cls._toResponderQueue, cls._fromResponderQueue, False, False, None, tlsContext])
diff --git a/regression-tests.dnsdist/test_OutgoingTLS.py b/regression-tests.dnsdist/test_OutgoingTLS.py
index c07be66337..87db8c461f 100644
--- a/regression-tests.dnsdist/test_OutgoingTLS.py
+++ b/regression-tests.dnsdist/test_OutgoingTLS.py
@@ -146,10 +146,18 @@ class TestOutgoingTLSOpenSSL(DNSDistTest, OutgoingTLSTests):
     setWebserverConfig({password="%s", apiKey="%s"})
     """
 
+    @staticmethod
+    def sniCallback(sslSocket, sni, sslContext):
+        assert(sni == 'powerdns.com')
+        return None
+
     @classmethod
     def startResponders(cls):
         tlsContext = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
         tlsContext.load_cert_chain('server.chain', 'server.key')
+        # requires Python 3.7+
+        if hasattr(tlsContext, 'sni_callback'):
+            tlsContext.sni_callback = cls.sniCallback
 
         print("Launching TLS responder..")
         cls._TLSResponder = threading.Thread(name='TLS Responder', target=cls.TCPResponder, args=[cls._tlsBackendPort, cls._toResponderQueue, cls._fromResponderQueue, False, False, None, tlsContext])
-- 
2.47.2