From 84d8eb08e15e455826ef66a4b1f1f61758cb9aba Mon Sep 17 00:00:00 2001
From: Sebastian Witt <sebastian.witt@siemens.com>
Date: Tue, 4 Jun 2024 14:34:39 +0200
Subject: CryptoPkg: Add SNI extension to TLS ClientHello

Webservers hosting multiple websites require the TLS SNI
(Server Name Indication) in the ClientHello to know which certificate
to return.
The current TLS code does not include the server name in the
ClientHello handshake, which leads to failed HTTPS boots when the
server does not return the correct certificate.

This sets the host name for SNI in TlsSetVerifyHost which receives the
host name also for verification against the certificates.

Signed-off-by: Sebastian Witt <sebastian.witt@siemens.com>
---
 CryptoPkg/Library/TlsLib/TlsConfig.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLib/TlsConfig.c
index 29d24ab..afbc583 100644
--- a/CryptoPkg/Library/TlsLib/TlsConfig.c
+++ b/CryptoPkg/Library/TlsLib/TlsConfig.c
@@ -500,6 +500,24 @@ TlsSetVerifyHost (
     return EFI_INVALID_PARAMETER;
   }
 
+  DEBUG ((
+    DEBUG_VERBOSE,
+    "%a:%a: SNI hostname: %a\n",
+    gEfiCallerBaseName,
+    __func__,
+    HostName
+    ));
+
+  if (!SSL_set_tlsext_host_name (TlsConn->Ssl, HostName)) {
+    DEBUG ((
+      DEBUG_ERROR,
+      "%a:%a: Could not set hostname %a for SNI\n",
+      gEfiCallerBaseName,
+      __func__,
+      HostName
+      ));
+  }
+
   SSL_set_hostflags (TlsConn->Ssl, Flags);
 
   VerifyParam = SSL_get0_param (TlsConn->Ssl);
-- 
cgit v1.1