ibm-openbmc · priyair · Feb 10, 2026
diff --git a/http/http_client.hpp b/http/http_client.hpp
@@ -644,6 +644,19 @@ class ConnectionInfo : public std::enable_shared_from_this<ConnectionInfo>
                 return;
             }
             sslConn.emplace(conn, *sslCtx);
+            // set SNI hostname
+            if (!SSL_set_tlsext_host_name(sslConn->native_handle(),
+                                          kMtlsSniHostname))
+            {
+                BMCWEB_LOG_ERROR("Failed to set SNI hostname");
+                // Continue - server to detect the mtls connection
+            }
+            else
+            {
+                BMCWEB_LOG_DEBUG(
+                    "Successfully set SNI to {} for mTLS aggregation",
+                    kMtlsSniHostname);
+            }
             setCipherSuiteTLSext();
         }
     }

diff --git a/include/ssl_key_handler.hpp b/include/ssl_key_handler.hpp
@@ -10,6 +10,17 @@
 #include <memory>
 #include <optional>
 #include <string>
+// Common SNI hostname for mTLS
+constexpr const char* kMtlsSniHostname = "mtls.bmc";
+
+// SNI parsing macros
+#define SNI_OFFSET_SIZE 2
+#define SNI_NAME_TYPE_SIZE 1
+#define SNI_PARSE_START_POS (SNI_OFFSET_SIZE + SNI_NAME_TYPE_SIZE)
+#define SNI_GET_HOST_LENGTH(sni, pos)                                          \
+    (((uint16_t)(sni)[(pos)] << 8) | (sni)[(pos) + 1])
+#define SNI_HOST_START_POS(pos) ((pos) + SNI_OFFSET_SIZE)
+#define SNI_MIN_LENGTH 5
 
 namespace ensuressl
 {