tls: enforce certificate verification

- add option to use test certificate in the ca chain
- add hostname to extended session endpoint fields and connect api
  parameters. If hostname is present, certificate validation is
  enforced.
- use /etc/ssl/certs/ca-certificates.crt to bootstrap CA cert. A
  different path can be provided via startup config

Change-Id: I046f9c6ff3ae6a9c2d71220cb62eca8f7b10e5fb
Signed-off-by: Florin Coras <fcoras@cisco.com>

7 files changed, 122 insertions, 82 deletions

diff --git a/src/vnet/session/application_interface.c b/src/vnet/session/application_interface.c
index 12a5701fdf3..dbd5e49417f 100644
--- a/src/vnet/session/application_interface.c
+++ b/src/vnet/session/application_interface.c
@@ -27,54 +27,58 @@
  */
 const char test_srv_crt_rsa[] =
   "-----BEGIN CERTIFICATE-----\r\n"
-  "MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n"
-  "MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n"
-  "MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n"
-  "A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN\r\n"
-  "AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN\r\n"
-  "owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz\r\n"
-  "NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM\r\n"
-  "tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P\r\n"
-  "hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya\r\n"
-  "HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD\r\n"
-  "VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw\r\n"
-  "FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQEFBQADggEBAJxnXClY\r\n"
-  "oHkbp70cqBrsGXLybA74czbO5RdLEgFs7rHVS9r+c293luS/KdliLScZqAzYVylw\r\n"
-  "UfRWvKMoWhHYKp3dEIS4xTXk6/5zXxhv9Rw8SGc8qn6vITHk1S1mPevtekgasY5Y\r\n"
-  "iWQuM3h4YVlRH3HHEMAD1TnAexfXHHDFQGe+Bd1iAbz1/sH9H8l4StwX6egvTK3M\r\n"
-  "wXRwkKkvjKaEDA9ATbZx0mI8LGsxSuCqe9r9dyjmttd47J1p1Rulz3CLzaRcVIuS\r\n"
-  "RRQfaD8neM9c1S/iJ/amTVqJxA1KOdOS5780WhPfSArA+g4qAmSjelc3p4wWpha8\r\n"
-  "zhuYwjVuX6JHG0c=\r\n" "-----END CERTIFICATE-----\r\n";
+  "MIID5zCCAs+gAwIBAgIJALeMYCEHrTtJMA0GCSqGSIb3DQEBCwUAMIGJMQswCQYD\r\n"
+  "VQQGEwJVUzELMAkGA1UECAwCQ0ExETAPBgNVBAcMCFNhbiBKb3NlMQ4wDAYDVQQK\r\n"
+  "DAVDaXNjbzEOMAwGA1UECwwFZmQuaW8xFjAUBgNVBAMMDXRlc3R0bHMuZmQuaW8x\r\n"
+  "IjAgBgkqhkiG9w0BCQEWE3ZwcC1kZXZAbGlzdHMuZmQuaW8wHhcNMTgwMzA1MjEx\r\n"
+  "NTEyWhcNMjgwMzAyMjExNTEyWjCBiTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNB\r\n"
+  "MREwDwYDVQQHDAhTYW4gSm9zZTEOMAwGA1UECgwFQ2lzY28xDjAMBgNVBAsMBWZk\r\n"
+  "LmlvMRYwFAYDVQQDDA10ZXN0dGxzLmZkLmlvMSIwIAYJKoZIhvcNAQkBFhN2cHAt\r\n"
+  "ZGV2QGxpc3RzLmZkLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\r\n"
+  "4C1k8a1DuStgggqT4o09fP9sJ2dC54bxhS/Xk2VEfaIZ222WSo4X/syRVfVy9Yah\r\n"
+  "cpI1zJ/RDxaZSFhgA+nPZBrFMsrULkrdAOpOVj8eDEp9JuWdO2ODSoFnCvLxcYWB\r\n"
+  "Yc5kHryJpEaGJl1sFQSesnzMFty/59ta0stk0Fp8r5NhIjWvSovGzPo6Bhz+VS2c\r\n"
+  "ebIZh4x1t2hHaFcgm0qJoJ6DceReWCW8w+yOVovTolGGq+bpb2Hn7MnRSZ2K2NdL\r\n"
+  "+aLXpkZbS/AODP1FF2vTO1mYL290LO7/51vJmPXNKSDYMy5EvILr5/VqtjsFCwRL\r\n"
+  "Q4jcM/+GeHSAFWx4qIv0BwIDAQABo1AwTjAdBgNVHQ4EFgQUWa1SOB37xmT53tZQ\r\n"
+  "aXuLLhRI7U8wHwYDVR0jBBgwFoAUWa1SOB37xmT53tZQaXuLLhRI7U8wDAYDVR0T\r\n"
+  "BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAoUht13W4ya27NVzQuCMvqPWL3VM4\r\n"
+  "3xbPFk02FaGz/WupPu276zGlzJAZrbuDcQowwwU1Ni1Yygxl96s1c2M5rHDTrOKG\r\n"
+  "rK0hbkSFBo+i6I8u4HiiQ4rYmG0Hv6+sXn3of0HsbtDPGgWZoipPWDljPYEURu3e\r\n"
+  "3HRe/Dtsj9CakBoSDzs8ndWaBR+f4sM9Tk1cjD46Gq2T/qpSPXqKxEUXlzhdCAn4\r\n"
+  "twub17Bq2kykHpppCwPg5M+v30tHG/R2Go15MeFWbEJthFk3TZMjKL7UFs7fH+x2\r\n"
+  "wSonXb++jY+KmCb93C+soABBizE57g/KmiR2IxQ/LMjDik01RSUIaM0lLA==\r\n"
+  "-----END CERTIFICATE-----\r\n";
 const u32 test_srv_crt_rsa_len = sizeof (test_srv_crt_rsa);
 
 const char test_srv_key_rsa[] =
-  "-----BEGIN RSA PRIVATE KEY-----\r\n"
-  "MIIEpAIBAAKCAQEAwU2j3efNHdEE10lyuJmsDnjkOjxKzzoTFtBa5M2jAIin7h5r\r\n"
-  "lqdStJDvLXJ6PiSa/LY0rCT1d+AmZIycsCh9odrqjObJHJa8/sEEUrM21KP64bF2\r\n"
-  "2JDBYbRmUjaiJlOqq3ReB30Zgtsq2B+g2Q0cLUlm91slc0boC4pPaQy1AJDh2oIQ\r\n"
-  "Zn2uVCuLZXmRoeJhw81ASQjuaAzxi4bSRr/QuKoRAx5/VqgaHkQYDw+Fi9qLRF7i\r\n"
-  "GMZiL8dmjfpd2H3zJ4kpAcWQDj8n8TDISg7v1t7HxydrxwU9esQCPJodPg/oNJhb\r\n"
-  "y3NLUpbYEaIsgIhpOVrTD7DeWS8Rx/fqEgEwlwIDAQABAoIBAQCXR0S8EIHFGORZ\r\n"
-  "++AtOg6eENxD+xVs0f1IeGz57Tjo3QnXX7VBZNdj+p1ECvhCE/G7XnkgU5hLZX+G\r\n"
-  "Z0jkz/tqJOI0vRSdLBbipHnWouyBQ4e/A1yIJdlBtqXxJ1KE/ituHRbNc4j4kL8Z\r\n"
-  "/r6pvwnTI0PSx2Eqs048YdS92LT6qAv4flbNDxMn2uY7s4ycS4Q8w1JXnCeaAnYm\r\n"
-  "WYI5wxO+bvRELR2Mcz5DmVnL8jRyml6l6582bSv5oufReFIbyPZbQWlXgYnpu6He\r\n"
-  "GTc7E1zKYQGG/9+DQUl/1vQuCPqQwny0tQoX2w5tdYpdMdVm+zkLtbajzdTviJJa\r\n"
-  "TWzL6lt5AoGBAN86+SVeJDcmQJcv4Eq6UhtRr4QGMiQMz0Sod6ettYxYzMgxtw28\r\n"
-  "CIrgpozCc+UaZJLo7UxvC6an85r1b2nKPCLQFaggJ0H4Q0J/sZOhBIXaoBzWxveK\r\n"
-  "nupceKdVxGsFi8CDy86DBfiyFivfBj+47BbaQzPBj7C4rK7UlLjab2rDAoGBAN2u\r\n"
-  "AM2gchoFiu4v1HFL8D7lweEpi6ZnMJjnEu/dEgGQJFjwdpLnPbsj4c75odQ4Gz8g\r\n"
-  "sw9lao9VVzbusoRE/JGI4aTdO0pATXyG7eG1Qu+5Yc1YGXcCrliA2xM9xx+d7f+s\r\n"
-  "mPzN+WIEg5GJDYZDjAzHG5BNvi/FfM1C9dOtjv2dAoGAF0t5KmwbjWHBhcVqO4Ic\r\n"
-  "BVvN3BIlc1ue2YRXEDlxY5b0r8N4XceMgKmW18OHApZxfl8uPDauWZLXOgl4uepv\r\n"
-  "whZC3EuWrSyyICNhLY21Ah7hbIEBPF3L3ZsOwC+UErL+dXWLdB56Jgy3gZaBeW7b\r\n"
-  "vDrEnocJbqCm7IukhXHOBK8CgYEAwqdHB0hqyNSzIOGY7v9abzB6pUdA3BZiQvEs\r\n"
-  "3LjHVd4HPJ2x0N8CgrBIWOE0q8+0hSMmeE96WW/7jD3fPWwCR5zlXknxBQsfv0gP\r\n"
-  "3BC5PR0Qdypz+d+9zfMf625kyit4T/hzwhDveZUzHnk1Cf+IG7Q+TOEnLnWAWBED\r\n"
-  "ISOWmrUCgYAFEmRxgwAc/u+D6t0syCwAYh6POtscq9Y0i9GyWk89NzgC4NdwwbBH\r\n"
-  "4AgahOxIxXx2gxJnq3yfkJfIjwf0s2DyP0kY2y6Ua1OeomPeY9mrIS4tCuDQ6LrE\r\n"
-  "TB6l9VGoxJL4fyHnZb8L5gGvnB1bbD8cL6YPaDiOhcRseC9vBiEuVg==\r\n"
-  "-----END RSA PRIVATE KEY-----\r\n";
+  "-----BEGIN PRIVATE KEY-----\r\n"
+  "MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDgLWTxrUO5K2CC\r\n"
+  "CpPijT18/2wnZ0LnhvGFL9eTZUR9ohnbbZZKjhf+zJFV9XL1hqFykjXMn9EPFplI\r\n"
+  "WGAD6c9kGsUyytQuSt0A6k5WPx4MSn0m5Z07Y4NKgWcK8vFxhYFhzmQevImkRoYm\r\n"
+  "XWwVBJ6yfMwW3L/n21rSy2TQWnyvk2EiNa9Ki8bM+joGHP5VLZx5shmHjHW3aEdo\r\n"
+  "VyCbSomgnoNx5F5YJbzD7I5Wi9OiUYar5ulvYefsydFJnYrY10v5otemRltL8A4M\r\n"
+  "/UUXa9M7WZgvb3Qs7v/nW8mY9c0pINgzLkS8guvn9Wq2OwULBEtDiNwz/4Z4dIAV\r\n"
+  "bHioi/QHAgMBAAECggEBAMzGipP8+oT166U+NlJXRFifFVN1DvdhG9PWnOxGL+c3\r\n"
+  "ILmBBC08WQzmHshPemBvR6DZkA1H23cV5JTiLWrFtC00CvhXsLRMrE5+uWotI6yE\r\n"
+  "iofybMroHvD6/X5R510UX9hQ6MHu5ShLR5VZ9zXHz5MpTmB/60jG5dLx+jgcwBK8\r\n"
+  "LuGv2YB/WCUwT9QJ3YU2eaingnXtz/MrFbkbltrqlnBdlD+kTtw6Yac9y1XuuQXc\r\n"
+  "BPeulLNDuPolJVWbUvDBZrpt2dXTgz8ws1sv+wCNE0xwQJsqW4Nx3QkpibUL9RUr\r\n"
+  "CVbKlNfa9lopT6nGKlgX69R/uH35yh9AOsfasro6w0ECgYEA82UJ8u/+ORah+0sF\r\n"
+  "Q0FfW5MTdi7OAUHOz16pUsGlaEv0ERrjZxmAkHA/VRwpvDBpx4alCv0Hc39PFLIk\r\n"
+  "nhSsM2BEuBkTAs6/GaoNAiBtQVE/hN7awNRWVmlieS0go3Y3dzaE9IUMyj8sPOFT\r\n"
+  "5JdJ6BM69PHKCkY3dKdnnfpFEuECgYEA68mRpteunF1mdZgXs+WrN+uLlRrQR20F\r\n"
+  "ZyMYiUCH2Dtn26EzA2moy7FipIIrQcX/j+KhYNGM3e7MU4LymIO29E18mn8JODnH\r\n"
+  "sQOXzBTsf8A4yIVMkcuQD3bfb0JiUGYUPOidTp2N7IJA7+6Yc3vQOyb74lnKnJoO\r\n"
+  "gougPT2wS+cCgYAn7muzb6xFsXDhyW0Tm6YJYBfRS9yAWEuVufINobeBZPSl2cN1\r\n"
+  "Jrnw+HlrfTNbrJWuJmjtZJXUXQ6cVp2rUbjutNyRV4vG6iRwEXYQ40EJdkr1gZpi\r\n"
+  "CHQhuShuuPih2MNAy7EEbM+sXrDjTBR3bFqzuHPzu7dp+BshCFX3lRfAAQKBgGQt\r\n"
+  "K5i7IhCFDjb/+3IPLgOAK7mZvsvZ4eXD33TQ2eZgtut1PXtBtNl17/b85uv293Fm\r\n"
+  "VDISVcsk3eLNS8zIiT6afUoWlxAwXEs0v5WRfjl4radkGvgGiJpJYvyeM67877RB\r\n"
+  "EDSKc/X8ESLfOB44iGvZUEMG6zJFscx9DgN25iQZAoGAbyd+JEWwdVH9/K3IH1t2\r\n"
+  "PBkZX17kNWv+iVM1WyFjbe++vfKZCrOJiyiqhDeEqgrP3AuNMlaaduC3VRC3G5oV\r\n"
+  "Mj1tlhDWQ/qhvKdCKNdIVQYDE75nw+FRWV8yYkHAnXYW3tNoweDIwixE0hkPR1bc\r\n"
+  "oEjPLVNtx8SOj/M4rhaPT3I=\r\n" "-----END PRIVATE KEY-----\r\n";
 const u32 test_srv_key_rsa_len = sizeof (test_srv_key_rsa);
 
 static u8
@@ -315,8 +319,9 @@ global_scope:
 /**
  * unformat a vnet URI
  *
- * transport-proto://ip46-addr:port
- * eg. tcp://ip46-addr:port
+ * transport-proto://[hostname]ip46-addr:port
+ * eg. 	tcp://ip46-addr:port
+ * 	tls://[testtsl.fd.io]ip46-addr:port
  *
  * u8 ip46_address[16];
  * u16  port_in_host_byte_order;
@@ -331,12 +336,21 @@ global_scope:
 uword
 unformat_vnet_uri (unformat_input_t * input, va_list * args)
 {
-  session_endpoint_t *sep = va_arg (*args, session_endpoint_t *);
+  session_endpoint_extended_t *sep = va_arg (*args,
+					     session_endpoint_extended_t *);
   u32 transport_proto = 0, port;
 
-  if (unformat
-      (input, "%U://%U/%d", unformat_transport_proto, &transport_proto,
-       unformat_ip4_address, &sep->ip.ip4, &port))
+  if (unformat (input, "%U://%U/%d", unformat_transport_proto,
+		&transport_proto, unformat_ip4_address, &sep->ip.ip4, &port))
+    {
+      sep->transport_proto = transport_proto;
+      sep->port = clib_host_to_net_u16 (port);
+      sep->is_ip4 = 1;
+      return 1;
+    }
+  else if (unformat (input, "%U://[%s]%U/%d", unformat_transport_proto,
+		     &transport_proto, &sep->hostname, unformat_ip4_address,
+		     &sep->ip.ip4, &port))
     {
       sep->transport_proto = transport_proto;
       sep->port = clib_host_to_net_u16 (port);
@@ -352,14 +366,23 @@ unformat_vnet_uri (unformat_input_t * input, va_list * args)
       sep->is_ip4 = 0;
       return 1;
     }
+  else if (unformat (input, "%U://[%s]%U/%d", unformat_transport_proto,
+		     &transport_proto, &sep->hostname, unformat_ip6_address,
+		     &sep->ip.ip6, &port))
+    {
+      sep->transport_proto = transport_proto;
+      sep->port = clib_host_to_net_u16 (port);
+      sep->is_ip4 = 0;
+      return 1;
+    }
   return 0;
 }
 
 static u8 *cache_uri;
-static session_endpoint_t *cache_sep;
+static session_endpoint_extended_t *cache_sep;
 
 int
-parse_uri (char *uri, session_endpoint_t * sep)
+parse_uri (char *uri, session_endpoint_extended_t * sep)
 {
   unformat_input_t _input, *input = &_input;
 
@@ -483,20 +506,20 @@ vnet_application_detach (vnet_app_detach_args_t * a)
 int
 vnet_bind_uri (vnet_bind_args_t * a)
 {
-  session_endpoint_t sep = SESSION_ENDPOINT_NULL;
+  session_endpoint_extended_t sep = SESSION_ENDPOINT_EXT_NULL;
   int rv;
 
   rv = parse_uri (a->uri, &sep);
   if (rv)
     return rv;
 
-  return vnet_bind_i (a->app_index, &sep, &a->handle);
+  return vnet_bind_i (a->app_index, (session_endpoint_t *) & sep, &a->handle);
 }
 
 int
 vnet_unbind_uri (vnet_unbind_args_t * a)
 {
-  session_endpoint_t sep = SESSION_ENDPOINT_NULL;
+  session_endpoint_extended_t sep = SESSION_ENDPOINT_EXT_NULL;
   stream_session_t *listener;
   int rv;
 
@@ -505,7 +528,7 @@ vnet_unbind_uri (vnet_unbind_args_t * a)
     return rv;
 
   /* NOTE: only default table supported for uri */
-  listener = session_lookup_listener (0, &sep);
+  listener = session_lookup_listener (0, (session_endpoint_t *) & sep);
   if (!listener)
     return VNET_API_ERROR_ADDRESS_NOT_IN_USE;
 
@@ -515,7 +538,7 @@ vnet_unbind_uri (vnet_unbind_args_t * a)
 clib_error_t *
 vnet_connect_uri (vnet_connect_args_t * a)
 {
-  session_endpoint_t sep = SESSION_ENDPOINT_NULL;
+  session_endpoint_extended_t sep = SESSION_ENDPOINT_EXT_NULL;
   int rv;
 
   /* Parse uri */
@@ -523,7 +546,8 @@ vnet_connect_uri (vnet_connect_args_t * a)
   if (rv)
     return clib_error_return_code (0, rv, 0, "app init: %d", rv);
 
-  if ((rv = application_connect (a->app_index, a->api_context, &sep)))
+  if ((rv = application_connect (a->app_index, a->api_context,
+				 (session_endpoint_t *) & sep)))
     return clib_error_return_code (0, rv, 0, "connect failed");
   return 0;
 }
@@ -579,7 +603,7 @@ vnet_unbind (vnet_unbind_args_t * a)
 clib_error_t *
 vnet_connect (vnet_connect_args_t * a)
 {
-  session_endpoint_t *sep = &a->sep;
+  session_endpoint_t *sep = (session_endpoint_t *) & a->sep;
   int rv;
 
   if ((rv = application_connect (a->app_index, a->api_context, sep)))
diff --git a/src/vnet/session/application_interface.h b/src/vnet/session/application_interface.h
index 2ab09d6f52d..deddb648630 100644
--- a/src/vnet/session/application_interface.h
+++ b/src/vnet/session/application_interface.h
@@ -83,13 +83,11 @@ typedef struct _vnet_connect_args
   union
   {
     char *uri;
-    session_endpoint_t sep;
+    session_endpoint_extended_t sep;
   };
   u32 app_index;
   u32 api_context;
 
-  /* Used for redirects */
-  void *mp;
   session_handle_t session_handle;
 } vnet_connect_args_t;
 
diff --git a/src/vnet/session/session.api b/src/vnet/session/session.api
index 336b51cd333..bf88e82f336 100644
--- a/src/vnet/session/session.api
+++ b/src/vnet/session/session.api
@@ -13,7 +13,7 @@
  * limitations under the License.
  */
 
-option version = "1.0.1";
+option version = "1.0.2";
 
 /** \brief client->vpp, attach application to session layer
     @param client_index - opaque cookie to identify the sender
@@ -292,6 +292,9 @@ autoreply define unbind_sock {
     @param ip - ip address
     @param port - port 
     @param proto - protocol 0 - TCP 1 - UDP
+    @param hostname-len - length of hostname
+    @param hostname - destination's hostname. If present, used by protocols
+					  like tls.
 */
 autoreply define connect_sock {
   u32 client_index;
@@ -303,6 +306,8 @@ autoreply define connect_sock {
   u8 ip[16];
   u16 port;
   u8 proto;
+  u8 hostname_len;
+  u8 hostname[hostname_len];
 };
 
 /** \brief Bind reply
diff --git a/src/vnet/session/session.c b/src/vnet/session/session.c
index 09e3ded6dff..d4220d4ae6b 100644
--- a/src/vnet/session/session.c
+++ b/src/vnet/session/session.c
@@ -878,12 +878,11 @@ session_open_vc (u32 app_index, session_endpoint_t * rmt, u32 opaque)
 int
 session_open_app (u32 app_index, session_endpoint_t * rmt, u32 opaque)
 {
-  session_endpoint_extended_t sep;
-  clib_memcpy (&sep, rmt, sizeof (*rmt));
-  sep.app_index = app_index;
-  sep.opaque = opaque;
+  session_endpoint_extended_t *sep = (session_endpoint_extended_t *) rmt;
+  sep->app_index = app_index;
+  sep->opaque = opaque;
 
-  return tp_vfts[rmt->transport_proto].open ((transport_endpoint_t *) & sep);
+  return tp_vfts[rmt->transport_proto].open ((transport_endpoint_t *) sep);
 }
 
 typedef int (*session_open_service_fn) (u32, session_endpoint_t *, u32);
diff --git a/src/vnet/session/session_api.c b/src/vnet/session/session_api.c
index 6694a40c348..b25911eb306 100755
--- a/src/vnet/session/session_api.c
+++ b/src/vnet/session/session_api.c
@@ -561,12 +561,10 @@ vl_api_connect_uri_t_handler (vl_api_connect_uri_t * mp)
       a->uri = (char *) mp->uri;
       a->api_context = mp->context;
       a->app_index = app->index;
-      a->mp = mp;
       if ((error = vnet_connect_uri (a)))
 	{
 	  rv = clib_error_get_code (error);
-	  if (rv != VNET_API_ERROR_SESSION_REDIRECT)
-	    clib_error_report (error);
+	  clib_error_report (error);
 	}
     }
   else
@@ -579,7 +577,7 @@ vl_api_connect_uri_t_handler (vl_api_connect_uri_t * mp)
    * the connection is established. In case of the redirects, the reply
    * will come from the server app.
    */
-  if (rv == 0 || rv == VNET_API_ERROR_SESSION_REDIRECT)
+  if (rv == 0)
     return;
 
 done:
@@ -838,6 +836,7 @@ vl_api_connect_sock_t_handler (vl_api_connect_sock_t * mp)
       svm_queue_t *client_q;
       ip46_address_t *ip46 = (ip46_address_t *) mp->ip;
 
+      memset (a, 0, sizeof (*a));
       client_q = vl_api_client_index_to_input_queue (mp->client_index);
       mp->client_queue_address = pointer_to_uword (client_q);
       a->sep.is_ip4 = mp->is_ip4;
@@ -846,22 +845,26 @@ vl_api_connect_sock_t_handler (vl_api_connect_sock_t * mp)
       a->sep.transport_proto = mp->proto;
       a->sep.fib_index = mp->vrf;
       a->sep.sw_if_index = ENDPOINT_INVALID_INDEX;
+      if (mp->hostname_len)
+	{
+	  vec_validate (a->sep.hostname, mp->hostname_len - 1);
+	  clib_memcpy (a->sep.hostname, mp->hostname, mp->hostname_len);
+	}
       a->api_context = mp->context;
       a->app_index = app->index;
-      a->mp = mp;
       if ((error = vnet_connect (a)))
 	{
 	  rv = clib_error_get_code (error);
-	  if (rv != VNET_API_ERROR_SESSION_REDIRECT)
-	    clib_error_report (error);
+	  clib_error_report (error);
 	}
+      vec_free (a->sep.hostname);
     }
   else
     {
       rv = VNET_API_ERROR_APPLICATION_NOT_ATTACHED;
     }
 
-  if (rv == 0 || rv == VNET_API_ERROR_SESSION_REDIRECT)
+  if (rv == 0)
     return;
 
   /* Got some error, relay it */
diff --git a/src/vnet/session/session_test.c b/src/vnet/session/session_test.c
index 91ac351f860..ceac7039940 100644
--- a/src/vnet/session/session_test.c
+++ b/src/vnet/session/session_test.c
@@ -244,10 +244,10 @@ session_test_namespace (vlib_main_t * vm, unformat_input_t * input)
   };
 
   vnet_connect_args_t connect_args = {
-    .sep = client_sep,
     .app_index = 0,
     .api_context = 0,
   };
+  clib_memcpy (&connect_args.sep, &client_sep, sizeof (client_sep));
 
   vnet_unbind_args_t unbind_args = {
     .handle = bind_args.handle,
@@ -1032,10 +1032,10 @@ session_test_rules (vlib_main_t * vm, unformat_input_t * input)
 		" 5.6.7.9/32 4321 in local table should return deny");
 
   vnet_connect_args_t connect_args = {
-    .sep = sep,
     .app_index = attach_args.app_index,
     .api_context = 0,
   };
+  clib_memcpy (&connect_args.sep, &sep, sizeof (sep));
 
   /* Try connecting */
   error = vnet_connect (&connect_args);
@@ -1312,7 +1312,7 @@ session_test_rules (vlib_main_t * vm, unformat_input_t * input)
 
 
   connect_args.app_index = server_index;
-  connect_args.sep = sep;
+  clib_memcpy (&connect_args.sep, &sep, sizeof (sep));
 
   error = vnet_connect (&connect_args);
   SESSION_TEST ((error != 0), "connect should fail");
diff --git a/src/vnet/session/stream_session.h b/src/vnet/session/stream_session.h
index 6f6dce66040..b7a5eee4b12 100644
--- a/src/vnet/session/stream_session.h
+++ b/src/vnet/session/stream_session.h
@@ -141,7 +141,6 @@ typedef struct local_session_
 #define foreach_session_endpoint_fields				\
     foreach_transport_connection_fields				\
     _(u8, transport_proto)					\
-    _(u8, app_proto)						\
 
 typedef struct _session_endpoint
 {
@@ -157,6 +156,7 @@ typedef struct _session_endpoint_extended
 #undef _
   u32 app_index;
   u32 opaque;
+  u8 *hostname;
 } session_endpoint_extended_t;
 
 #define SESSION_IP46_ZERO		\
@@ -173,7 +173,18 @@ typedef struct _session_endpoint_extended
   .is_ip4 = 0,				\
   .port = 0,				\
   .transport_proto = 0,			\
-  .app_proto = 0,			\
+}
+#define SESSION_ENDPOINT_EXT_NULL 	\
+{					\
+  .sw_if_index = ENDPOINT_INVALID_INDEX,	\
+  .ip = SESSION_IP46_ZERO,		\
+  .fib_index = ENDPOINT_INVALID_INDEX,	\
+  .is_ip4 = 0,				\
+  .port = 0,				\
+  .transport_proto = 0,			\
+  .app_index = ENDPOINT_INVALID_INDEX,	\
+  .opaque = ENDPOINT_INVALID_INDEX,	\
+  .hostname = 0,				\
 }
 
 #define session_endpoint_to_transport(_sep) ((transport_endpoint_t *)_sep)