Fix session ticket and SNI

When session tickets are used, it's possible that SNI might swtich the
SSL_CTX on an SSL. Normally, this is not a problem, because the
initial_ctx/session_ctx are used for all session ticket/id processes.

However, when the SNI callback occurs, it's possible that the callback
may update the options in the SSL from the SSL_CTX, and this could
cause SSL_OP_NO_TICKET to be set. If this occurs, then two bad things
can happen:

1. The session ticket TLSEXT may not be written when the ticket expected
flag is set. The state machine transistions to writing the ticket, and
the client responds with an error as its not expecting a ticket.
2. When creating the session ticket, if the ticket key cb returns 0
the crypto/hmac contexts are not initialized, and the code crashes when
trying to encrypt the session ticket.

To fix 1, if the ticket TLSEXT is not written out, clear the expected
ticket flag.
To fix 2, consider a return of 0 from the ticket key cb a recoverable
error, and write a 0 length ticket and continue. The client-side code
can explicitly handle this case.

Fix these two cases, and add unit test code to validate ticket behavior.
Reviewed-by: NEmilia Käsper <emilia@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1098)

ssl/statem/statem_srvr.c

@@ -2950,7 +2950,21 @@ int tls_construct_new_session_ticket(SSL *s)
      * all the work otherwise use generated values from parent ctx.
      */
     if (tctx->tlsext_ticket_key_cb) {
-        if (tctx->tlsext_ticket_key_cb(s, key_name, iv, ctx, hctx, 1) < 0)
+        /* if 0 is returned, write an empty ticket */
+        int ret = tctx->tlsext_ticket_key_cb(s, key_name, iv, ctx,
+                                             hctx, 1);
+
+        if (ret == 0) {
+            l2n(0, p); /* timeout */
+            s2n(0, p); /* length */
+            if (!ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET, p - ssl_handshake_start(s)))
+                goto err;
+            OPENSSL_free(senc);
+            EVP_CIPHER_CTX_free(ctx);
+            HMAC_CTX_free(hctx);
+            return 1;
+        }
+        if (ret < 0)
             goto err;
         iv_len = EVP_CIPHER_CTX_iv_length(ctx);
     } else {

ssl/t1_lib.c

@@ -1502,6 +1502,9 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
             return NULL;
         s2n(TLSEXT_TYPE_session_ticket, ret);
         s2n(0, ret);
+    } else {
+        /* if we don't add the above TLSEXT, we can't add a session ticket later */
+        s->tlsext_ticket_expected = 0;
     }
 
     if (s->tlsext_status_expected) {

test/README.ssltest.md

@@ -64,6 +64,16 @@ The test section supports the following options:
   - AcceptAll - accepts all certificates.
   - RejectAll - rejects all certificates.
 
+* ServerName - the server the client is expected to successfully connect to
+  - server1 - the initial context (default)
+  - server2 - the secondary context
+
+* SessionTicketExpected - whether or not a session ticket is expected
+  - Ignore - do not check for a session ticket (default)
+  - Yes - a session ticket is expected
+  - No - a session ticket is not expected
+  - Broken - a special test case where the session ticket callback does not initialize crypto
+
 ## Configuring the client and server
 
 The client and server configurations can be any valid `SSL_CTX`
@@ -78,6 +88,10 @@ server => {
 }
 ```
 
+A server2 section may optionally be defined to configure a secondary
+context that is selected via the ServerName test option. If the server2
+section is not configured, then the configuration matches server.
+
 ### Default server and client configurations
 
 The default server certificate and CA files are added to the configurations

test/generate_ssl_tests.pl

@@ -43,6 +43,12 @@ sub print_templates {
     # Add the implicit base configuration.
     foreach my $test (@ssltests::tests) {
         $test->{"server"} = { (%ssltests::base_server, %{$test->{"server"}}) };
+	# use server values if server2 is not defined
+	if (defined $test->{"server2"}) {
+	    $test->{"server2"} = { (%ssltests::base_server, %{$test->{"server2"}}) };
+	} else {
+	    $test->{"server2"} = { (%ssltests::base_server, %{$test->{"server"}}) };
+	}
         $test->{"client"} = { (%ssltests::base_client, %{$test->{"client"}}) };
     }
 

test/handshake_helper.c

@@ -23,6 +23,7 @@
 typedef struct handshake_ex_data {
     int alert_sent;
     int alert_received;
+    int session_ticket_do_not_call;
 } HANDSHAKE_EX_DATA;
 
 static int ex_data_idx;
@@ -49,12 +50,27 @@ static int verify_accept_callback(X509_STORE_CTX *ctx, void *arg) {
     return 1;
 }
 
+static int broken_session_ticket_callback(SSL* s, unsigned char* key_name, unsigned char *iv,
+                                          EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc)
+{
+    return 0;
+}
+
+int do_not_call_session_ticket_callback(SSL* s, unsigned char* key_name, unsigned char *iv,
+                                        EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc)
+{
+    HANDSHAKE_EX_DATA *ex_data =
+        (HANDSHAKE_EX_DATA*)(SSL_get_ex_data(s, ex_data_idx));
+    ex_data->session_ticket_do_not_call = 1;
+    return 0;
+}
+
 /*
  * Configure callbacks and other properties that can't be set directly
  * in the server/client CONF.
  */
-static void configure_handshake(SSL_CTX *server_ctx, SSL_CTX *client_ctx,
-                                const SSL_TEST_CTX *test_ctx)
+static void configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *client_ctx,
+                                    const SSL_TEST_CTX *test_ctx)
 {
     switch (test_ctx->client_verify_callback) {
     case SSL_TEST_VERIFY_ACCEPT_ALL:
@@ -68,6 +84,19 @@ static void configure_handshake(SSL_CTX *server_ctx, SSL_CTX *client_ctx,
     default:
         break;
     }
+    if (test_ctx->session_ticket_expected == SSL_TEST_SESSION_TICKET_BROKEN) {
+        SSL_CTX_set_tlsext_ticket_key_cb(server_ctx, broken_session_ticket_callback);
+    }
+}
+
+/*
+ * Configure callbacks and other properties that can't be set directly
+ * in the server/client CONF.
+ */
+static void configure_handshake_ssl(SSL *server, SSL *client,
+                                    const SSL_TEST_CTX *test_ctx)
+{
+    SSL_set_tlsext_host_name(client, ssl_servername_name(test_ctx->servername));
 }
 
 
@@ -180,13 +209,18 @@ HANDSHAKE_RESULT do_handshake(SSL_CTX *server_ctx, SSL_CTX *client_ctx,
     int client_turn = 1;
     peer_status_t client_status = PEER_RETRY, server_status = PEER_RETRY;
     handshake_status_t status = HANDSHAKE_RETRY;
+    unsigned char* tick = NULL;
+    size_t len = 0;
+    SSL_SESSION* sess = NULL;
 
-    configure_handshake(server_ctx, client_ctx, test_ctx);
+    configure_handshake_ctx(server_ctx, client_ctx, test_ctx);
 
     server = SSL_new(server_ctx);
     client = SSL_new(client_ctx);
     OPENSSL_assert(server != NULL && client != NULL);
 
+    configure_handshake_ssl(server, client, test_ctx);
+
     memset(&server_ex_data, 0, sizeof(server_ex_data));
     memset(&client_ex_data, 0, sizeof(client_ex_data));
     memset(&ret, 0, sizeof(ret));
@@ -266,6 +300,16 @@ HANDSHAKE_RESULT do_handshake(SSL_CTX *server_ctx, SSL_CTX *client_ctx,
     ret.client_alert_received = server_ex_data.alert_received;
     ret.server_protocol = SSL_version(server);
     ret.client_protocol = SSL_version(client);
+    ret.servername = ((SSL_get_SSL_CTX(server) == server_ctx)
+                      ? SSL_TEST_SERVERNAME_SERVER1
+                      : SSL_TEST_SERVERNAME_SERVER2);
+    if ((sess = SSL_get0_session(client)) != NULL)
+        SSL_SESSION_get0_ticket(sess, &tick, &len);
+    if (tick == NULL || len == 0)
+        ret.session_ticket = SSL_TEST_SESSION_TICKET_NO;
+    else
+        ret.session_ticket = SSL_TEST_SESSION_TICKET_YES;
+    ret.session_ticket_do_not_call = server_ex_data.session_ticket_do_not_call;
 
     SSL_free(server);
     SSL_free(client);

test/handshake_helper.h

@@ -26,10 +26,19 @@ typedef struct handshake_result {
     /* Negotiated protocol. On success, these should always match. */
     int server_protocol;
     int client_protocol;
+    /* Server connection */
+    int servername;
+    /* Session ticket status */
+    int session_ticket;
+    /* Was this called on the second context? */
+    int session_ticket_do_not_call;
 } HANDSHAKE_RESULT;
 
 /* Do a handshake and report some information about the result. */
 HANDSHAKE_RESULT do_handshake(SSL_CTX *server_ctx, SSL_CTX *client_ctx,
                               const SSL_TEST_CTX *test_ctx);
 
+int do_not_call_session_ticket_callback(SSL* s, unsigned char* key_name, unsigned char *iv,
+                                        EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc);
+
 #endif  /* HEADER_HANDSHAKE_HELPER_H */

test/recipes/80-test_ssl_new.t

@@ -42,7 +42,7 @@ foreach my $conf (@conf_files) {
 
 # We hard-code the number of tests to double-check that the globbing above
 # finds all files as expected.
-plan tests => 4;  # = scalar @conf_srcs
+plan tests => 6;  # = scalar @conf_srcs
 
 sub test_conf {
     plan tests => 3;

test/ssl-tests/01-simple.conf

@@ -11,6 +11,7 @@ ssl_conf = 0-default-ssl
 
 [0-default-ssl]
 server = 0-default-server
+server2 = 0-default-server2
 client = 0-default-client
 
 [0-default-server]
@@ -19,6 +20,12 @@ CipherString = DEFAULT
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 
+[0-default-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
 [0-default-client]
 CipherString = DEFAULT
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -36,6 +43,7 @@ ssl_conf = 1-verify-cert-ssl
 
 [1-verify-cert-ssl]
 server = 1-verify-cert-server
+server2 = 1-verify-cert-server2
 client = 1-verify-cert-client
 
 [1-verify-cert-server]
@@ -44,6 +52,12 @@ CipherString = DEFAULT
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 
+[1-verify-cert-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
 [1-verify-cert-client]
 CipherString = DEFAULT
 VerifyMode = Peer

test/ssl-tests/03-custom_verify.conf

@@ -18,6 +18,7 @@ ssl_conf = 0-verify-success-ssl
 
 [0-verify-success-ssl]
 server = 0-verify-success-server
+server2 = 0-verify-success-server2
 client = 0-verify-success-client
 
 [0-verify-success-server]
@@ -26,6 +27,12 @@ CipherString = DEFAULT
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 
+[0-verify-success-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
 [0-verify-success-client]
 CipherString = DEFAULT
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -43,6 +50,7 @@ ssl_conf = 1-verify-custom-reject-ssl
 
 [1-verify-custom-reject-ssl]
 server = 1-verify-custom-reject-server
+server2 = 1-verify-custom-reject-server2
 client = 1-verify-custom-reject-client
 
 [1-verify-custom-reject-server]
@@ -51,6 +59,12 @@ CipherString = DEFAULT
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 
+[1-verify-custom-reject-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
 [1-verify-custom-reject-client]
 CipherString = DEFAULT
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -70,6 +84,7 @@ ssl_conf = 2-verify-custom-allow-ssl
 
 [2-verify-custom-allow-ssl]
 server = 2-verify-custom-allow-server
+server2 = 2-verify-custom-allow-server2
 client = 2-verify-custom-allow-client
 
 [2-verify-custom-allow-server]
@@ -78,6 +93,12 @@ CipherString = DEFAULT
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 
+[2-verify-custom-allow-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
 [2-verify-custom-allow-client]
 CipherString = DEFAULT
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -96,6 +117,7 @@ ssl_conf = 3-noverify-success-ssl
 
 [3-noverify-success-ssl]
 server = 3-noverify-success-server
+server2 = 3-noverify-success-server2
 client = 3-noverify-success-client
 
 [3-noverify-success-server]
@@ -104,6 +126,12 @@ CipherString = DEFAULT
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 
+[3-noverify-success-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
 [3-noverify-success-client]
 CipherString = DEFAULT
 
@@ -119,6 +147,7 @@ ssl_conf = 4-noverify-ignore-custom-reject-ssl
 
 [4-noverify-ignore-custom-reject-ssl]
 server = 4-noverify-ignore-custom-reject-server
+server2 = 4-noverify-ignore-custom-reject-server2
 client = 4-noverify-ignore-custom-reject-client
 
 [4-noverify-ignore-custom-reject-server]
@@ -127,6 +156,12 @@ CipherString = DEFAULT
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 
+[4-noverify-ignore-custom-reject-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
 [4-noverify-ignore-custom-reject-client]
 CipherString = DEFAULT
 
@@ -143,6 +178,7 @@ ssl_conf = 5-noverify-accept-custom-allow-ssl
 
 [5-noverify-accept-custom-allow-ssl]
 server = 5-noverify-accept-custom-allow-server
+server2 = 5-noverify-accept-custom-allow-server2
 client = 5-noverify-accept-custom-allow-client
 
 [5-noverify-accept-custom-allow-server]
@@ -151,6 +187,12 @@ CipherString = DEFAULT
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 
+[5-noverify-accept-custom-allow-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
 [5-noverify-accept-custom-allow-client]
 CipherString = DEFAULT
 
@@ -167,6 +209,7 @@ ssl_conf = 6-verify-fail-no-root-ssl
 
 [6-verify-fail-no-root-ssl]
 server = 6-verify-fail-no-root-server
+server2 = 6-verify-fail-no-root-server2
 client = 6-verify-fail-no-root-client
 
 [6-verify-fail-no-root-server]
@@ -175,6 +218,12 @@ CipherString = DEFAULT
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 
+[6-verify-fail-no-root-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
 [6-verify-fail-no-root-client]
 CipherString = DEFAULT
 VerifyMode = Peer
@@ -192,6 +241,7 @@ ssl_conf = 7-verify-custom-success-no-root-ssl
 
 [7-verify-custom-success-no-root-ssl]
 server = 7-verify-custom-success-no-root-server
+server2 = 7-verify-custom-success-no-root-server2
 client = 7-verify-custom-success-no-root-client
 
 [7-verify-custom-success-no-root-server]
@@ -200,6 +250,12 @@ CipherString = DEFAULT
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 
+[7-verify-custom-success-no-root-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
 [7-verify-custom-success-no-root-client]
 CipherString = DEFAULT
 VerifyMode = Peer
@@ -217,6 +273,7 @@ ssl_conf = 8-verify-custom-fail-no-root-ssl
 
 [8-verify-custom-fail-no-root-ssl]
 server = 8-verify-custom-fail-no-root-server
+server2 = 8-verify-custom-fail-no-root-server2
 client = 8-verify-custom-fail-no-root-client
 
 [8-verify-custom-fail-no-root-server]
@@ -225,6 +282,12 @@ CipherString = DEFAULT
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 
+[8-verify-custom-fail-no-root-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
 [8-verify-custom-fail-no-root-client]
 CipherString = DEFAULT
 VerifyMode = Peer

test/ssl-tests/04-client_auth.conf

@@ -29,6 +29,7 @@ ssl_conf = 0-server-auth-flex-ssl
 
 [0-server-auth-flex-ssl]
 server = 0-server-auth-flex-server
+server2 = 0-server-auth-flex-server2
 client = 0-server-auth-flex-client
 
 [0-server-auth-flex-server]
@@ -37,6 +38,12 @@ CipherString = DEFAULT
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 
+[0-server-auth-flex-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
 [0-server-auth-flex-client]
 CipherString = DEFAULT
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -54,6 +61,7 @@ ssl_conf = 1-client-auth-flex-request-ssl
 
 [1-client-auth-flex-request-ssl]
 server = 1-client-auth-flex-request-server
+server2 = 1-client-auth-flex-request-server2
 client = 1-client-auth-flex-request-client
 
 [1-client-auth-flex-request-server]
@@ -63,6 +71,13 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 VerifyMode = Request
 
 
+[1-client-auth-flex-request-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyMode = Request
+
+
 [1-client-auth-flex-request-client]
 CipherString = DEFAULT
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -80,6 +95,7 @@ ssl_conf = 2-client-auth-flex-require-fail-ssl
 
 [2-client-auth-flex-require-fail-ssl]
 server = 2-client-auth-flex-require-fail-server
+server2 = 2-client-auth-flex-require-fail-server2
 client = 2-client-auth-flex-require-fail-client
 
 [2-client-auth-flex-require-fail-server]
@@ -90,6 +106,14 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
 VerifyMode = Require
 
 
+[2-client-auth-flex-require-fail-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Require
+
+
 [2-client-auth-flex-require-fail-client]
 CipherString = DEFAULT
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -108,6 +132,7 @@ ssl_conf = 3-client-auth-flex-require-ssl
 
 [3-client-auth-flex-require-ssl]
 server = 3-client-auth-flex-require-server
+server2 = 3-client-auth-flex-require-server2
 client = 3-client-auth-flex-require-client
 
 [3-client-auth-flex-require-server]
@@ -118,6 +143,14 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
 VerifyMode = Request
 
 
+[3-client-auth-flex-require-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Request
+
+
 [3-client-auth-flex-require-client]
 Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
 CipherString = DEFAULT
@@ -137,6 +170,7 @@ ssl_conf = 4-client-auth-flex-noroot-ssl
 
 [4-client-auth-flex-noroot-ssl]
 server = 4-client-auth-flex-noroot-server
+server2 = 4-client-auth-flex-noroot-server2
 client = 4-client-auth-flex-noroot-client
 
 [4-client-auth-flex-noroot-server]
@@ -146,6 +180,13 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 VerifyMode = Require
 
 
+[4-client-auth-flex-noroot-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyMode = Require
+
+
 [4-client-auth-flex-noroot-client]
 Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
 CipherString = DEFAULT
@@ -166,6 +207,7 @@ ssl_conf = 5-server-auth-TLSv1-ssl
 
 [5-server-auth-TLSv1-ssl]
 server = 5-server-auth-TLSv1-server
+server2 = 5-server-auth-TLSv1-server2
 client = 5-server-auth-TLSv1-client
 
 [5-server-auth-TLSv1-server]
@@ -175,6 +217,13 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 Protocol = TLSv1
 
 
+[5-server-auth-TLSv1-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1
+
+
 [5-server-auth-TLSv1-client]
 CipherString = DEFAULT
 Protocol = TLSv1
@@ -193,6 +242,7 @@ ssl_conf = 6-client-auth-TLSv1-request-ssl
 
 [6-client-auth-TLSv1-request-ssl]
 server = 6-client-auth-TLSv1-request-server
+server2 = 6-client-auth-TLSv1-request-server2
 client = 6-client-auth-TLSv1-request-client
 
 [6-client-auth-TLSv1-request-server]
@@ -203,6 +253,14 @@ Protocol = TLSv1
 VerifyMode = Request
 
 
+[6-client-auth-TLSv1-request-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1
+VerifyMode = Request
+
+
 [6-client-auth-TLSv1-request-client]
 CipherString = DEFAULT
 Protocol = TLSv1
@@ -221,6 +279,7 @@ ssl_conf = 7-client-auth-TLSv1-require-fail-ssl
 
 [7-client-auth-TLSv1-require-fail-ssl]
 server = 7-client-auth-TLSv1-require-fail-server
+server2 = 7-client-auth-TLSv1-require-fail-server2
 client = 7-client-auth-TLSv1-require-fail-client
 
 [7-client-auth-TLSv1-require-fail-server]
@@ -232,6 +291,15 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
 VerifyMode = Require
 
 
+[7-client-auth-TLSv1-require-fail-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Require
+
+
 [7-client-auth-TLSv1-require-fail-client]
 CipherString = DEFAULT
 Protocol = TLSv1
@@ -251,6 +319,7 @@ ssl_conf = 8-client-auth-TLSv1-require-ssl
 
 [8-client-auth-TLSv1-require-ssl]
 server = 8-client-auth-TLSv1-require-server
+server2 = 8-client-auth-TLSv1-require-server2
 client = 8-client-auth-TLSv1-require-client
 
 [8-client-auth-TLSv1-require-server]
@@ -262,6 +331,15 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
 VerifyMode = Request
 
 
+[8-client-auth-TLSv1-require-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Request
+
+
 [8-client-auth-TLSv1-require-client]
 Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
 CipherString = DEFAULT
@@ -282,6 +360,7 @@ ssl_conf = 9-client-auth-TLSv1-noroot-ssl
 
 [9-client-auth-TLSv1-noroot-ssl]
 server = 9-client-auth-TLSv1-noroot-server
+server2 = 9-client-auth-TLSv1-noroot-server2
 client = 9-client-auth-TLSv1-noroot-client
 
 [9-client-auth-TLSv1-noroot-server]
@@ -292,6 +371,14 @@ Protocol = TLSv1
 VerifyMode = Require
 
 
+[9-client-auth-TLSv1-noroot-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1
+VerifyMode = Require
+
+
 [9-client-auth-TLSv1-noroot-client]
 Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
 CipherString = DEFAULT
@@ -313,6 +400,7 @@ ssl_conf = 10-server-auth-TLSv1.1-ssl
 
 [10-server-auth-TLSv1.1-ssl]
 server = 10-server-auth-TLSv1.1-server
+server2 = 10-server-auth-TLSv1.1-server2
 client = 10-server-auth-TLSv1.1-client
 
 [10-server-auth-TLSv1.1-server]
@@ -322,6 +410,13 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 Protocol = TLSv1.1
 
 
+[10-server-auth-TLSv1.1-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1.1
+
+
 [10-server-auth-TLSv1.1-client]
 CipherString = DEFAULT
 Protocol = TLSv1.1
@@ -340,6 +435,7 @@ ssl_conf = 11-client-auth-TLSv1.1-request-ssl
 
 [11-client-auth-TLSv1.1-request-ssl]
 server = 11-client-auth-TLSv1.1-request-server
+server2 = 11-client-auth-TLSv1.1-request-server2
 client = 11-client-auth-TLSv1.1-request-client
 
 [11-client-auth-TLSv1.1-request-server]
@@ -350,6 +446,14 @@ Protocol = TLSv1.1
 VerifyMode = Request
 
 
+[11-client-auth-TLSv1.1-request-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1.1
+VerifyMode = Request
+
+
 [11-client-auth-TLSv1.1-request-client]
 CipherString = DEFAULT
 Protocol = TLSv1.1
@@ -368,6 +472,7 @@ ssl_conf = 12-client-auth-TLSv1.1-require-fail-ssl
 
 [12-client-auth-TLSv1.1-require-fail-ssl]
 server = 12-client-auth-TLSv1.1-require-fail-server
+server2 = 12-client-auth-TLSv1.1-require-fail-server2
 client = 12-client-auth-TLSv1.1-require-fail-client
 
 [12-client-auth-TLSv1.1-require-fail-server]
@@ -379,6 +484,15 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
 VerifyMode = Require
 
 
+[12-client-auth-TLSv1.1-require-fail-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1.1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Require
+
+
 [12-client-auth-TLSv1.1-require-fail-client]
 CipherString = DEFAULT
 Protocol = TLSv1.1
@@ -398,6 +512,7 @@ ssl_conf = 13-client-auth-TLSv1.1-require-ssl
 
 [13-client-auth-TLSv1.1-require-ssl]
 server = 13-client-auth-TLSv1.1-require-server
+server2 = 13-client-auth-TLSv1.1-require-server2
 client = 13-client-auth-TLSv1.1-require-client
 
 [13-client-auth-TLSv1.1-require-server]
@@ -409,6 +524,15 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
 VerifyMode = Request
 
 
+[13-client-auth-TLSv1.1-require-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1.1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Request
+
+
 [13-client-auth-TLSv1.1-require-client]
 Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
 CipherString = DEFAULT
@@ -429,6 +553,7 @@ ssl_conf = 14-client-auth-TLSv1.1-noroot-ssl
 
 [14-client-auth-TLSv1.1-noroot-ssl]
 server = 14-client-auth-TLSv1.1-noroot-server
+server2 = 14-client-auth-TLSv1.1-noroot-server2
 client = 14-client-auth-TLSv1.1-noroot-client
 
 [14-client-auth-TLSv1.1-noroot-server]
@@ -439,6 +564,14 @@ Protocol = TLSv1.1
 VerifyMode = Require
 
 
+[14-client-auth-TLSv1.1-noroot-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1.1
+VerifyMode = Require
+
+
 [14-client-auth-TLSv1.1-noroot-client]
 Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
 CipherString = DEFAULT
@@ -460,6 +593,7 @@ ssl_conf = 15-server-auth-TLSv1.2-ssl
 
 [15-server-auth-TLSv1.2-ssl]
 server = 15-server-auth-TLSv1.2-server
+server2 = 15-server-auth-TLSv1.2-server2
 client = 15-server-auth-TLSv1.2-client
 
 [15-server-auth-TLSv1.2-server]
@@ -469,6 +603,13 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 Protocol = TLSv1.2
 
 
+[15-server-auth-TLSv1.2-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1.2
+
+
 [15-server-auth-TLSv1.2-client]
 CipherString = DEFAULT
 Protocol = TLSv1.2
@@ -487,6 +628,7 @@ ssl_conf = 16-client-auth-TLSv1.2-request-ssl
 
 [16-client-auth-TLSv1.2-request-ssl]
 server = 16-client-auth-TLSv1.2-request-server
+server2 = 16-client-auth-TLSv1.2-request-server2
 client = 16-client-auth-TLSv1.2-request-client
 
 [16-client-auth-TLSv1.2-request-server]
@@ -497,6 +639,14 @@ Protocol = TLSv1.2
 VerifyMode = Request
 
 
+[16-client-auth-TLSv1.2-request-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1.2
+VerifyMode = Request
+
+
 [16-client-auth-TLSv1.2-request-client]
 CipherString = DEFAULT
 Protocol = TLSv1.2
@@ -515,6 +665,7 @@ ssl_conf = 17-client-auth-TLSv1.2-require-fail-ssl
 
 [17-client-auth-TLSv1.2-require-fail-ssl]
 server = 17-client-auth-TLSv1.2-require-fail-server
+server2 = 17-client-auth-TLSv1.2-require-fail-server2
 client = 17-client-auth-TLSv1.2-require-fail-client
 
 [17-client-auth-TLSv1.2-require-fail-server]
@@ -526,6 +677,15 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
 VerifyMode = Require
 
 
+[17-client-auth-TLSv1.2-require-fail-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Require
+
+
 [17-client-auth-TLSv1.2-require-fail-client]
 CipherString = DEFAULT
 Protocol = TLSv1.2
@@ -545,6 +705,7 @@ ssl_conf = 18-client-auth-TLSv1.2-require-ssl
 
 [18-client-auth-TLSv1.2-require-ssl]
 server = 18-client-auth-TLSv1.2-require-server
+server2 = 18-client-auth-TLSv1.2-require-server2
 client = 18-client-auth-TLSv1.2-require-client
 
 [18-client-auth-TLSv1.2-require-server]
@@ -556,6 +717,15 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
 VerifyMode = Request
 
 
+[18-client-auth-TLSv1.2-require-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Request
+
+
 [18-client-auth-TLSv1.2-require-client]
 Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
 CipherString = DEFAULT
@@ -576,6 +746,7 @@ ssl_conf = 19-client-auth-TLSv1.2-noroot-ssl
 
 [19-client-auth-TLSv1.2-noroot-ssl]
 server = 19-client-auth-TLSv1.2-noroot-server
+server2 = 19-client-auth-TLSv1.2-noroot-server2
 client = 19-client-auth-TLSv1.2-noroot-client
 
 [19-client-auth-TLSv1.2-noroot-server]
@@ -586,6 +757,14 @@ Protocol = TLSv1.2
 VerifyMode = Require
 
 
+[19-client-auth-TLSv1.2-noroot-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1.2
+VerifyMode = Require
+
+
 [19-client-auth-TLSv1.2-noroot-client]
 Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
 CipherString = DEFAULT

test/ssl-tests/05-sni.conf

+# Generated with generate_ssl_tests.pl
+
+num_tests = 1
+
+test-0 = 0-SNI-default
+# ===========================================================
+
+[0-SNI-default]
+ssl_conf = 0-SNI-default-ssl
+
+[0-SNI-default-ssl]
+server = 0-SNI-default-server
+server2 = 0-SNI-default-server2
+client = 0-SNI-default-client
+
+[0-SNI-default-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
+[0-SNI-default-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
+[0-SNI-default-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-0]
+ExpectedResult = Success
+ServerName = server2
+
+

test/ssl-tests/05-sni.conf.in

+# -*- mode: perl; -*-
+# Copyright 2016-2016 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+
+## SSL test configurations
+
+use strict;
+use warnings;
+
+package ssltests;
+
+our @tests = (
+    {
+        name => "SNI-default",
+        server => { },
+        client => { },
+        test   => { "ServerName" => "server2",
+		    "ExpectedResult" => "Success" },
+    },
+);

test/ssl-tests/06-sni-ticket.conf

+# Generated with generate_ssl_tests.pl
+
+num_tests = 17
+
+test-0 = 0-sni-session-ticket
+test-1 = 1-sni-session-ticket
+test-2 = 2-sni-session-ticket
+test-3 = 3-sni-session-ticket
+test-4 = 4-sni-session-ticket
+test-5 = 5-sni-session-ticket
+test-6 = 6-sni-session-ticket
+test-7 = 7-sni-session-ticket
+test-8 = 8-sni-session-ticket
+test-9 = 9-sni-session-ticket
+test-10 = 10-sni-session-ticket
+test-11 = 11-sni-session-ticket
+test-12 = 12-sni-session-ticket
+test-13 = 13-sni-session-ticket
+test-14 = 14-sni-session-ticket
+test-15 = 15-sni-session-ticket
+test-16 = 16-sni-session-ticket
+# ===========================================================
+
+[0-sni-session-ticket]
+ssl_conf = 0-sni-session-ticket-ssl
+
+[0-sni-session-ticket-ssl]
+server = 0-sni-session-ticket-server
+server2 = 0-sni-session-ticket-server2
+client = 0-sni-session-ticket-client
+
+[0-sni-session-ticket-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
+[0-sni-session-ticket-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
+[0-sni-session-ticket-client]
+CipherString = DEFAULT
+Options = SessionTicket
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-0]
+ExpectedResult = Success
+ServerName = server1
+SessionTicketExpected = Broken
+
+
+# ===========================================================
+
+[1-sni-session-ticket]
+ssl_conf = 1-sni-session-ticket-ssl
+
+[1-sni-session-ticket-ssl]
+server = 1-sni-session-ticket-server
+server2 = 1-sni-session-ticket-server2
+client = 1-sni-session-ticket-client
+
+[1-sni-session-ticket-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
+[1-sni-session-ticket-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
+[1-sni-session-ticket-client]
+CipherString = DEFAULT
+Options = SessionTicket
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-1]
+ExpectedResult = Success
+ServerName = server1
+SessionTicketExpected = Yes
+
+
+# ===========================================================
+
+[2-sni-session-ticket]
+ssl_conf = 2-sni-session-ticket-ssl
+
+[2-sni-session-ticket-ssl]
+server = 2-sni-session-ticket-server
+server2 = 2-sni-session-ticket-server2
+client = 2-sni-session-ticket-client
+
+[2-sni-session-ticket-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
+[2-sni-session-ticket-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
+[2-sni-session-ticket-client]
+CipherString = DEFAULT
+Options = SessionTicket
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-2]
+ExpectedResult = Success
+ServerName = server2
+SessionTicketExpected = Yes
+
+
+# ===========================================================
+
+[3-sni-session-ticket]
+ssl_conf = 3-sni-session-ticket-ssl
+
+[3-sni-session-ticket-ssl]
+server = 3-sni-session-ticket-server
+server2 = 3-sni-session-ticket-server2
+client = 3-sni-session-ticket-client
+
+[3-sni-session-ticket-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
+[3-sni-session-ticket-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = -SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
+[3-sni-session-ticket-client]
+CipherString = DEFAULT
+Options = SessionTicket
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-3]
+ExpectedResult = Success
+ServerName = server1
+SessionTicketExpected = Yes
+
+
+# ===========================================================
+
+[4-sni-session-ticket]
+ssl_conf = 4-sni-session-ticket-ssl
+
+[4-sni-session-ticket-ssl]
+server = 4-sni-session-ticket-server
+server2 = 4-sni-session-ticket-server2
+client = 4-sni-session-ticket-client
+
+[4-sni-session-ticket-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
+[4-sni-session-ticket-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = -SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
+[4-sni-session-ticket-client]
+CipherString = DEFAULT
+Options = SessionTicket
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-4]
+ExpectedResult = Success
+ServerName = server2
+SessionTicketExpected = No
+
+
+# ===========================================================
+
+[5-sni-session-ticket]
+ssl_conf = 5-sni-session-ticket-ssl
+
+[5-sni-session-ticket-ssl]
+server = 5-sni-session-ticket-server
+server2 = 5-sni-session-ticket-server2
+client = 5-sni-session-ticket-client
+
+[5-sni-session-ticket-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = -SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
+[5-sni-session-ticket-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
+[5-sni-session-ticket-client]
+CipherString = DEFAULT
+Options = SessionTicket
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-5]
+ExpectedResult = Success
+ServerName = server1
+SessionTicketExpected = No
+
+
+# ===========================================================
+
+[6-sni-session-ticket]
+ssl_conf = 6-sni-session-ticket-ssl
+
+[6-sni-session-ticket-ssl]
+server = 6-sni-session-ticket-server
+server2 = 6-sni-session-ticket-server2
+client = 6-sni-session-ticket-client
+
+[6-sni-session-ticket-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = -SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
+[6-sni-session-ticket-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
+[6-sni-session-ticket-client]
+CipherString = DEFAULT
+Options = SessionTicket
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-6]
+ExpectedResult = Success
+ServerName = server2
+SessionTicketExpected = No
+
+
+# ===========================================================
+
+[7-sni-session-ticket]
+ssl_conf = 7-sni-session-ticket-ssl
+
+[7-sni-session-ticket-ssl]
+server = 7-sni-session-ticket-server
+server2 = 7-sni-session-ticket-server2
+client = 7-sni-session-ticket-client
+
+[7-sni-session-ticket-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = -SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
+[7-sni-session-ticket-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = -SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
+[7-sni-session-ticket-client]
+CipherString = DEFAULT
+Options = SessionTicket
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-7]
+ExpectedResult = Success
+ServerName = server1
+SessionTicketExpected = No
+
+
+# ===========================================================
+
+[8-sni-session-ticket]
+ssl_conf = 8-sni-session-ticket-ssl
+
+[8-sni-session-ticket-ssl]
+server = 8-sni-session-ticket-server
+server2 = 8-sni-session-ticket-server2
+client = 8-sni-session-ticket-client
+
+[8-sni-session-ticket-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = -SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
+[8-sni-session-ticket-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = -SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
+[8-sni-session-ticket-client]
+CipherString = DEFAULT
+Options = SessionTicket
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-8]
+ExpectedResult = Success
+ServerName = server2
+SessionTicketExpected = No
+
+
+# ===========================================================
+
+[9-sni-session-ticket]
+ssl_conf = 9-sni-session-ticket-ssl
+
+[9-sni-session-ticket-ssl]
+server = 9-sni-session-ticket-server
+server2 = 9-sni-session-ticket-server2
+client = 9-sni-session-ticket-client
+
+[9-sni-session-ticket-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
+[9-sni-session-ticket-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
+[9-sni-session-ticket-client]
+CipherString = DEFAULT
+Options = -SessionTicket
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-9]
+ExpectedResult = Success
+ServerName = server1
+SessionTicketExpected = No
+
+
+# ===========================================================
+
+[10-sni-session-ticket]
+ssl_conf = 10-sni-session-ticket-ssl
+
+[10-sni-session-ticket-ssl]
+server = 10-sni-session-ticket-server
+server2 = 10-sni-session-ticket-server2
+client = 10-sni-session-ticket-client
+
+[10-sni-session-ticket-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
+[10-sni-session-ticket-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
+[10-sni-session-ticket-client]
+CipherString = DEFAULT
+Options = -SessionTicket
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-10]
+ExpectedResult = Success
+ServerName = server2
+SessionTicketExpected = No
+
+
+# ===========================================================
+
+[11-sni-session-ticket]
+ssl_conf = 11-sni-session-ticket-ssl
+
+[11-sni-session-ticket-ssl]
+server = 11-sni-session-ticket-server
+server2 = 11-sni-session-ticket-server2
+client = 11-sni-session-ticket-client
+
+[11-sni-session-ticket-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
+[11-sni-session-ticket-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = -SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
+[11-sni-session-ticket-client]
+CipherString = DEFAULT
+Options = -SessionTicket
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-11]
+ExpectedResult = Success
+ServerName = server1
+SessionTicketExpected = No
+
+
+# ===========================================================
+
+[12-sni-session-ticket]
+ssl_conf = 12-sni-session-ticket-ssl
+
+[12-sni-session-ticket-ssl]
+server = 12-sni-session-ticket-server
+server2 = 12-sni-session-ticket-server2
+client = 12-sni-session-ticket-client
+
+[12-sni-session-ticket-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
+[12-sni-session-ticket-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = -SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
+[12-sni-session-ticket-client]
+CipherString = DEFAULT
+Options = -SessionTicket
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-12]
+ExpectedResult = Success
+ServerName = server2
+SessionTicketExpected = No
+
+
+# ===========================================================
+
+[13-sni-session-ticket]
+ssl_conf = 13-sni-session-ticket-ssl
+
+[13-sni-session-ticket-ssl]
+server = 13-sni-session-ticket-server
+server2 = 13-sni-session-ticket-server2
+client = 13-sni-session-ticket-client
+
+[13-sni-session-ticket-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = -SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
+[13-sni-session-ticket-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
+[13-sni-session-ticket-client]
+CipherString = DEFAULT
+Options = -SessionTicket
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-13]
+ExpectedResult = Success
+ServerName = server1
+SessionTicketExpected = No
+
+
+# ===========================================================
+
+[14-sni-session-ticket]
+ssl_conf = 14-sni-session-ticket-ssl
+
+[14-sni-session-ticket-ssl]
+server = 14-sni-session-ticket-server
+server2 = 14-sni-session-ticket-server2
+client = 14-sni-session-ticket-client
+
+[14-sni-session-ticket-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = -SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
+[14-sni-session-ticket-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
+[14-sni-session-ticket-client]
+CipherString = DEFAULT
+Options = -SessionTicket
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-14]
+ExpectedResult = Success
+ServerName = server2
+SessionTicketExpected = No
+
+
+# ===========================================================
+
+[15-sni-session-ticket]
+ssl_conf = 15-sni-session-ticket-ssl
+
+[15-sni-session-ticket-ssl]
+server = 15-sni-session-ticket-server
+server2 = 15-sni-session-ticket-server2
+client = 15-sni-session-ticket-client
+
+[15-sni-session-ticket-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = -SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
+[15-sni-session-ticket-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = -SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
+[15-sni-session-ticket-client]
+CipherString = DEFAULT
+Options = -SessionTicket
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-15]
+ExpectedResult = Success
+ServerName = server1
+SessionTicketExpected = No
+
+
+# ===========================================================
+
+[16-sni-session-ticket]
+ssl_conf = 16-sni-session-ticket-ssl
+
+[16-sni-session-ticket-ssl]
+server = 16-sni-session-ticket-server
+server2 = 16-sni-session-ticket-server2
+client = 16-sni-session-ticket-client
+
+[16-sni-session-ticket-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = -SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
+[16-sni-session-ticket-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = -SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
+[16-sni-session-ticket-client]
+CipherString = DEFAULT
+Options = -SessionTicket
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-16]
+ExpectedResult = Success
+ServerName = server2
+SessionTicketExpected = No
+
+

test/ssl-tests/06-sni-ticket.conf.in

+# -*- mode: perl; -*-
+# Copyright 2016-2016 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+
+## Test version negotiation
+
+use strict;
+use warnings;
+
+package ssltests;
+
+
+our @tests = ();
+
+sub generate_tests() {
+    foreach my $c ("SessionTicket", "-SessionTicket") {
+	foreach my $s1 ("SessionTicket", "-SessionTicket") {
+	    foreach my $s2 ("SessionTicket", "-SessionTicket") {
+		foreach my $n ("server1", "server2") {
+		    my $result = expected_result($c, $s1, $s2, $n);
+                    push @tests, {
+                        "name" => "sni-session-ticket",
+                        "client" => {
+                            "Options" => $c,
+                        },
+                        "server" => {
+                            "Options" => $s1,
+                        },
+			"server2" => {
+			    "Options" => $s2,
+			},
+                        "test" => {
+                            "ServerName" => $n,
+                            "ExpectedResult" => "Success",
+			    "SessionTicketExpected" => $result,
+                        }
+                    };
+                }
+            }
+        }
+    }
+}
+
+# If the client has session tickets disabled, then No support
+# If the server initial_ctx has session tickets disabled, then No support
+# If SNI is in use, then if the "switched-to" context has session tickets disabled,
+#    then No support
+sub expected_result {
+    my ($c, $s1, $s2, $n) = @_;
+
+    return "No" if $c eq "-SessionTicket";
+    return "No" if $s1 eq "-SessionTicket";
+    return "No" if ($s2 eq "-SessionTicket" && $n eq "server2");
+
+    return "Yes";
+
+}
+
+# Add a "Broken" case.
+push @tests, {
+    "name" => "sni-session-ticket",
+    "client" => {
+	"Options" => "SessionTicket",
+    },
+    "server" => {
+	"Options" => "SessionTicket",
+    },
+    "server2" => {
+	"Options" => "SessionTicket",
+    },
+    "test" => {
+	"ServerName" => "server1",
+	"ExpectedResult" => "Success",
+	"SessionTicketExpected" => "Broken",
+    }
+};
+
+generate_tests();

test/ssl_test.c

@@ -8,6 +8,7 @@
  */
 
 #include <stdio.h>
+#include <string.h>
 
 #include <openssl/conf.h>
 #include <openssl/err.h>
@@ -122,6 +123,33 @@ static int check_protocol(HANDSHAKE_RESULT result, SSL_TEST_CTX *test_ctx)
     return 1;
 }
 
+static int check_servername(HANDSHAKE_RESULT result, SSL_TEST_CTX *test_ctx)
+{
+    if (result.servername != test_ctx->servername) {
+        fprintf(stderr, "Client ServerName mismatch, expected %s, got %s\n.",
+                ssl_servername_name(test_ctx->servername),
+                ssl_servername_name(result.servername));
+        return 0;
+    }
+    return 1;
+}
+
+static int check_session_ticket_expected(HANDSHAKE_RESULT result, SSL_TEST_CTX *test_ctx)
+{
+    if (test_ctx->session_ticket_expected == SSL_TEST_SESSION_TICKET_IGNORE)
+        return 1;
+    if (test_ctx->session_ticket_expected == SSL_TEST_SESSION_TICKET_BROKEN &&
+        result.session_ticket == SSL_TEST_SESSION_TICKET_NO)
+        return 1;
+    if (result.session_ticket != test_ctx->session_ticket_expected) {
+        fprintf(stderr, "Client SessionTicketExpected mismatch, expected %s, got %s\n.",
+                ssl_session_ticket_expected_name(test_ctx->session_ticket_expected),
+                ssl_session_ticket_expected_name(result.session_ticket));
+        return 0;
+    }
+    return 1;
+}
+
 /*
  * This could be further simplified by constructing an expected
  * HANDSHAKE_RESULT, and implementing comparison methods for
@@ -132,29 +160,62 @@ static int check_test(HANDSHAKE_RESULT result, SSL_TEST_CTX *test_ctx)
     int ret = 1;
     ret &= check_result(result, test_ctx);
     ret &= check_alerts(result, test_ctx);
-    if (result.result == SSL_TEST_SUCCESS)
+    if (result.result == SSL_TEST_SUCCESS) {
         ret &= check_protocol(result, test_ctx);
+        ret &= check_servername(result, test_ctx);
+        ret &= check_session_ticket_expected(result, test_ctx);
+        ret &= (result.session_ticket_do_not_call == 0);
+    }
     return ret;
 }
 
+static int servername_callback(SSL *s, int *ad, void *arg)
+{
+    const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
+    if (servername != NULL && !strcmp(servername, "server2")) {
+        SSL_CTX *new_ctx = (SSL_CTX*)arg;
+        SSL_set_SSL_CTX(s, new_ctx);
+        /*
+         * Copy over all the SSL_CTX options - reasonable behavior
+         * allows testing of cases where the options between two
+         * contexts differ/conflict
+         */
+        SSL_clear_options(s, 0xFFFFFFFFL);
+        SSL_set_options(s, SSL_CTX_get_options(new_ctx));
+    }
+    return SSL_TLSEXT_ERR_OK;
+}
+
 static int execute_test(SSL_TEST_FIXTURE fixture)
 {
     int ret = 0;
-    SSL_CTX *server_ctx = NULL, *client_ctx = NULL;
+    SSL_CTX *server_ctx = NULL, *server2_ctx = NULL, *client_ctx = NULL;
     SSL_TEST_CTX *test_ctx = NULL;
     HANDSHAKE_RESULT result;
 
     server_ctx = SSL_CTX_new(TLS_server_method());
+    server2_ctx = SSL_CTX_new(TLS_server_method());
     client_ctx = SSL_CTX_new(TLS_client_method());
-    OPENSSL_assert(server_ctx != NULL && client_ctx != NULL);
+    OPENSSL_assert(server_ctx != NULL && server2_ctx != NULL && client_ctx != NULL);
 
     OPENSSL_assert(CONF_modules_load(conf, fixture.test_app, 0) > 0);
 
     if (!SSL_CTX_config(server_ctx, "server")
-       || !SSL_CTX_config(client_ctx, "client")) {
+        || !SSL_CTX_config(server2_ctx, "server2")
+        || !SSL_CTX_config(client_ctx, "client")) {
         goto err;
     }
 
+    /* link the two contexts for SNI purposes */
+    SSL_CTX_set_tlsext_servername_callback(server_ctx, servername_callback);
+    SSL_CTX_set_tlsext_servername_arg(server_ctx, server2_ctx);
+    /*
+     * The initial_ctx/session_ctx always handles the encrypt/decrypt of the
+     * session ticket. This ticket_key callback is assigned to the second
+     * session (assigned via SNI), and should never be invoked
+     */
+    SSL_CTX_set_tlsext_ticket_key_cb(server2_ctx, do_not_call_session_ticket_callback);
+
     test_ctx = SSL_TEST_CTX_create(conf, fixture.test_app);
     if (test_ctx == NULL)
         goto err;
@@ -166,6 +227,7 @@ static int execute_test(SSL_TEST_FIXTURE fixture)
 err:
     CONF_modules_unload(0);
     SSL_CTX_free(server_ctx);
+    SSL_CTX_free(server2_ctx);
     SSL_CTX_free(client_ctx);
     SSL_TEST_CTX_free(test_ctx);
     if (ret != 1)

test/ssl_test.tmpl

@@ -3,6 +3,7 @@ ssl_conf = {-$testname-}-ssl
 
 [{-$testname-}-ssl]
 server = {-$testname-}-server
+server2 = {-$testname-}-server2
 client = {-$testname-}-client
 
 [{-$testname-}-server]
@@ -12,6 +13,13 @@ client = {-$testname-}-client
     }
 -}
 
+[{-$testname-}-server2]
+{-
+    foreach my $key (sort keys %server2) {
+        $OUT .= qq{$key} . " = " . qq{$server2{$key}\n} if defined $server2{$key};
+    }
+-}
+
 [{-$testname-}-client]
 {-
     foreach my $key (sort keys %client) {

test/ssl_test_ctx.c

@@ -154,6 +154,62 @@ const char *ssl_verify_callback_name(ssl_verify_callback_t callback)
                      callback);
 }
 
+/**************/
+/* ServerName */
+/**************/
+
+static const test_enum ssl_servername[] = {
+    {"server1", SSL_TEST_SERVERNAME_SERVER1},
+    {"server2", SSL_TEST_SERVERNAME_SERVER2},
+};
+
+__owur static int parse_servername(SSL_TEST_CTX *test_ctx,
+                                   const char *value)
+{
+    int ret_value;
+    if (!parse_enum(ssl_servername, OSSL_NELEM(ssl_servername),
+                    &ret_value, value)) {
+        return 0;
+    }
+    test_ctx->servername = ret_value;
+    return 1;
+}
+
+const char *ssl_servername_name(ssl_servername_t server)
+{
+    return enum_name(ssl_servername, OSSL_NELEM(ssl_servername),
+                     server);
+}
+
+/*************************/
+/* SessionTicketExpected */
+/*************************/
+
+static const test_enum ssl_session_ticket_expected[] = {
+    {"Ignore", SSL_TEST_SESSION_TICKET_IGNORE},
+    {"Yes", SSL_TEST_SESSION_TICKET_YES},
+    {"No", SSL_TEST_SESSION_TICKET_NO},
+    {"Broken", SSL_TEST_SESSION_TICKET_BROKEN},
+};
+
+__owur static int parse_session_ticket_expected(SSL_TEST_CTX *test_ctx,
+                                                const char *value)
+{
+    int ret_value;
+    if (!parse_enum(ssl_session_ticket_expected, OSSL_NELEM(ssl_session_ticket_expected),
+                    &ret_value, value)) {
+        return 0;
+    }
+    test_ctx->session_ticket_expected = ret_value;
+    return 1;
+}
+
+const char *ssl_session_ticket_expected_name(ssl_session_ticket_expected_t server)
+{
+    return enum_name(ssl_session_ticket_expected,
+                     OSSL_NELEM(ssl_session_ticket_expected),
+                     server);
+}
 
 /*************************************************************/
 /* Known test options and their corresponding parse methods. */
@@ -170,6 +226,8 @@ static const ssl_test_ctx_option ssl_test_ctx_options[] = {
     { "ServerAlert", &parse_server_alert },
     { "Protocol", &parse_protocol },
     { "ClientVerifyCallback", &parse_client_verify_callback },
+    { "ServerName", &parse_servername },
+    { "SessionTicketExpected", &parse_session_ticket_expected },
 };
 
 

test/ssl_test_ctx.h

@@ -26,6 +26,18 @@ typedef enum {
     SSL_TEST_VERIFY_REJECT_ALL
 } ssl_verify_callback_t;
 
+typedef enum {
+    SSL_TEST_SERVERNAME_SERVER1 = 0, /* Default */
+    SSL_TEST_SERVERNAME_SERVER2
+} ssl_servername_t;
+
+typedef enum {
+    SSL_TEST_SESSION_TICKET_IGNORE = 0, /* Default */
+    SSL_TEST_SESSION_TICKET_YES,
+    SSL_TEST_SESSION_TICKET_NO,
+    SSL_TEST_SESSION_TICKET_BROKEN, /* Special test */
+} ssl_session_ticket_expected_t;
+
 typedef struct ssl_test_ctx {
     /* Test expectations. */
     /* Defaults to SUCCESS. */
@@ -41,12 +53,17 @@ typedef struct ssl_test_ctx {
     int protocol;
     /* One of a number of predefined custom callbacks. */
     ssl_verify_callback_t client_verify_callback;
+    /* One of a number of predefined server names use by the client */
+    ssl_servername_t servername;
+    ssl_session_ticket_expected_t session_ticket_expected;
 } SSL_TEST_CTX;
 
 const char *ssl_test_result_name(ssl_test_result_t result);
 const char *ssl_alert_name(int alert);
 const char *ssl_protocol_name(int protocol);
 const char *ssl_verify_callback_name(ssl_verify_callback_t verify_callback);
+const char *ssl_servername_name(ssl_servername_t server);
+const char *ssl_session_ticket_expected_name(ssl_session_ticket_expected_t server);
 
 /*
  * Load the test case context from |conf|.

test/ssl_test_ctx_test.c

@@ -64,6 +64,18 @@ static int SSL_TEST_CTX_equal(SSL_TEST_CTX *ctx, SSL_TEST_CTX *ctx2)
                 ssl_verify_callback_name(ctx2->client_verify_callback));
         return 0;
     }
+    if (ctx->servername != ctx2->servername) {
+        fprintf(stderr, "ServerName mismatch: %s vs %s.\n",
+                ssl_servername_name(ctx->servername),
+                ssl_servername_name(ctx2->servername));
+        return 0;
+    }
+    if (ctx->session_ticket_expected != ctx2->session_ticket_expected) {
+        fprintf(stderr, "SessionTicketExpected mismatch: %s vs %s.\n",
+                ssl_session_ticket_expected_name(ctx->session_ticket_expected),
+                ssl_session_ticket_expected_name(ctx2->session_ticket_expected));
+        return 0;
+    }
 
     return 1;
 }
@@ -141,7 +153,9 @@ static int test_good_configuration()
     fixture.expected_ctx->client_alert = SSL_AD_UNKNOWN_CA;
     fixture.expected_ctx->server_alert = 0;  /* No alert. */
     fixture.expected_ctx->protocol = TLS1_1_VERSION;
-    fixture.expected_ctx->client_verify_callback = SSL_TEST_VERIFY_REJECT_ALL,
+    fixture.expected_ctx->client_verify_callback = SSL_TEST_VERIFY_REJECT_ALL;
+    fixture.expected_ctx->servername = SSL_TEST_SERVERNAME_SERVER2;
+    fixture.expected_ctx->session_ticket_expected = SSL_TEST_SESSION_TICKET_YES;
     EXECUTE_SSL_TEST_CTX_TEST();
 }
 
@@ -151,6 +165,8 @@ static const char *bad_configurations[] = {
     "ssltest_unknown_alert",
     "ssltest_unknown_protocol",
     "ssltest_unknown_verify_callback",
+    "ssltest_unknown_servername",
+    "ssltest_unknown_session_ticket_expected",
 };
 
 static int test_bad_configuration(int idx)

test/ssl_test_ctx_test.conf

@@ -5,6 +5,8 @@ ExpectedResult = ServerFail
 ClientAlert = UnknownCA
 Protocol = TLSv1.1
 ClientVerifyCallback = RejectAll
+ServerName = server2
+SessionTicketExpected = Yes
 
 [ssltest_unknown_option]
 UnknownOption = Foo
@@ -20,3 +22,9 @@ Protocol = Foo
 
 [ssltest_unknown_verify_callback]
 ClientVerifyCallback = Foo
+
+[ssltest_unknown_servername]
+ServerName = Foo
+
+[ssltest_unknown_session_ticket_expected]
+SessionTicketExpected = Foo