From 2214ddcdafdaaba29c0539cecf71267cc591193d Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Wed, 29 May 2019 17:25:27 +0000
Subject: Do not send an SNI extension when resuming a session that contains a
 server name (which means the client sent SNI during the initial handshake).

Issue reported by Renaud Allard.

ok tb@
---
 src/lib/libssl/ssl_tlsext.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index b532d49a63..506cfbcfea 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.47 2019/05/28 17:34:32 jsing Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.48 2019/05/29 17:25:27 jsing Exp $ */
 /*
  * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -677,6 +677,9 @@ tlsext_sni_server_parse(SSL *s, CBS *cbs, int *alert)
 int
 tlsext_sni_server_needs(SSL *s)
 {
+	if (s->internal->hit)
+		return 0;
+
 	return (s->session->tlsext_hostname != NULL);
 }
 
-- 
cgit v1.2.3-55-g6feb