tls: enforce certificate verification

- add option to use test certificate in the ca chain
- add hostname to extended session endpoint fields and connect api
  parameters. If hostname is present, certificate validation is
  enforced.
- use /etc/ssl/certs/ca-certificates.crt to bootstrap CA cert. A
  different path can be provided via startup config

Change-Id: I046f9c6ff3ae6a9c2d71220cb62eca8f7b10e5fb
Signed-off-by: Florin Coras <fcoras@cisco.com>

11 files changed, 261 insertions, 169 deletions

diff --git a/src/tests/vnet/session/tcp_echo.c b/src/tests/vnet/session/tcp_echo.c
index 7cfd0ea025c..0108b16ac7b 100644
--- a/src/tests/vnet/session/tcp_echo.c
+++ b/src/tests/vnet/session/tcp_echo.c
@@ -137,54 +137,58 @@ echo_main_t echo_main;
 
 const char test_srv_crt_rsa[] =
   "-----BEGIN CERTIFICATE-----\r\n"
-  "MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n"
-  "MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n"
-  "MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n"
-  "A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN\r\n"
-  "AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN\r\n"
-  "owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz\r\n"
-  "NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM\r\n"
-  "tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P\r\n"
-  "hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya\r\n"
-  "HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD\r\n"
-  "VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw\r\n"
-  "FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQEFBQADggEBAJxnXClY\r\n"
-  "oHkbp70cqBrsGXLybA74czbO5RdLEgFs7rHVS9r+c293luS/KdliLScZqAzYVylw\r\n"
-  "UfRWvKMoWhHYKp3dEIS4xTXk6/5zXxhv9Rw8SGc8qn6vITHk1S1mPevtekgasY5Y\r\n"
-  "iWQuM3h4YVlRH3HHEMAD1TnAexfXHHDFQGe+Bd1iAbz1/sH9H8l4StwX6egvTK3M\r\n"
-  "wXRwkKkvjKaEDA9ATbZx0mI8LGsxSuCqe9r9dyjmttd47J1p1Rulz3CLzaRcVIuS\r\n"
-  "RRQfaD8neM9c1S/iJ/amTVqJxA1KOdOS5780WhPfSArA+g4qAmSjelc3p4wWpha8\r\n"
-  "zhuYwjVuX6JHG0c=\r\n" "-----END CERTIFICATE-----\r\n";
+  "MIID5zCCAs+gAwIBAgIJALeMYCEHrTtJMA0GCSqGSIb3DQEBCwUAMIGJMQswCQYD\r\n"
+  "VQQGEwJVUzELMAkGA1UECAwCQ0ExETAPBgNVBAcMCFNhbiBKb3NlMQ4wDAYDVQQK\r\n"
+  "DAVDaXNjbzEOMAwGA1UECwwFZmQuaW8xFjAUBgNVBAMMDXRlc3R0bHMuZmQuaW8x\r\n"
+  "IjAgBgkqhkiG9w0BCQEWE3ZwcC1kZXZAbGlzdHMuZmQuaW8wHhcNMTgwMzA1MjEx\r\n"
+  "NTEyWhcNMjgwMzAyMjExNTEyWjCBiTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNB\r\n"
+  "MREwDwYDVQQHDAhTYW4gSm9zZTEOMAwGA1UECgwFQ2lzY28xDjAMBgNVBAsMBWZk\r\n"
+  "LmlvMRYwFAYDVQQDDA10ZXN0dGxzLmZkLmlvMSIwIAYJKoZIhvcNAQkBFhN2cHAt\r\n"
+  "ZGV2QGxpc3RzLmZkLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\r\n"
+  "4C1k8a1DuStgggqT4o09fP9sJ2dC54bxhS/Xk2VEfaIZ222WSo4X/syRVfVy9Yah\r\n"
+  "cpI1zJ/RDxaZSFhgA+nPZBrFMsrULkrdAOpOVj8eDEp9JuWdO2ODSoFnCvLxcYWB\r\n"
+  "Yc5kHryJpEaGJl1sFQSesnzMFty/59ta0stk0Fp8r5NhIjWvSovGzPo6Bhz+VS2c\r\n"
+  "ebIZh4x1t2hHaFcgm0qJoJ6DceReWCW8w+yOVovTolGGq+bpb2Hn7MnRSZ2K2NdL\r\n"
+  "+aLXpkZbS/AODP1FF2vTO1mYL290LO7/51vJmPXNKSDYMy5EvILr5/VqtjsFCwRL\r\n"
+  "Q4jcM/+GeHSAFWx4qIv0BwIDAQABo1AwTjAdBgNVHQ4EFgQUWa1SOB37xmT53tZQ\r\n"
+  "aXuLLhRI7U8wHwYDVR0jBBgwFoAUWa1SOB37xmT53tZQaXuLLhRI7U8wDAYDVR0T\r\n"
+  "BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAoUht13W4ya27NVzQuCMvqPWL3VM4\r\n"
+  "3xbPFk02FaGz/WupPu276zGlzJAZrbuDcQowwwU1Ni1Yygxl96s1c2M5rHDTrOKG\r\n"
+  "rK0hbkSFBo+i6I8u4HiiQ4rYmG0Hv6+sXn3of0HsbtDPGgWZoipPWDljPYEURu3e\r\n"
+  "3HRe/Dtsj9CakBoSDzs8ndWaBR+f4sM9Tk1cjD46Gq2T/qpSPXqKxEUXlzhdCAn4\r\n"
+  "twub17Bq2kykHpppCwPg5M+v30tHG/R2Go15MeFWbEJthFk3TZMjKL7UFs7fH+x2\r\n"
+  "wSonXb++jY+KmCb93C+soABBizE57g/KmiR2IxQ/LMjDik01RSUIaM0lLA==\r\n"
+  "-----END CERTIFICATE-----\r\n";
 const u32 test_srv_crt_rsa_len = sizeof (test_srv_crt_rsa);
 
 const char test_srv_key_rsa[] =
-  "-----BEGIN RSA PRIVATE KEY-----\r\n"
-  "MIIEpAIBAAKCAQEAwU2j3efNHdEE10lyuJmsDnjkOjxKzzoTFtBa5M2jAIin7h5r\r\n"
-  "lqdStJDvLXJ6PiSa/LY0rCT1d+AmZIycsCh9odrqjObJHJa8/sEEUrM21KP64bF2\r\n"
-  "2JDBYbRmUjaiJlOqq3ReB30Zgtsq2B+g2Q0cLUlm91slc0boC4pPaQy1AJDh2oIQ\r\n"
-  "Zn2uVCuLZXmRoeJhw81ASQjuaAzxi4bSRr/QuKoRAx5/VqgaHkQYDw+Fi9qLRF7i\r\n"
-  "GMZiL8dmjfpd2H3zJ4kpAcWQDj8n8TDISg7v1t7HxydrxwU9esQCPJodPg/oNJhb\r\n"
-  "y3NLUpbYEaIsgIhpOVrTD7DeWS8Rx/fqEgEwlwIDAQABAoIBAQCXR0S8EIHFGORZ\r\n"
-  "++AtOg6eENxD+xVs0f1IeGz57Tjo3QnXX7VBZNdj+p1ECvhCE/G7XnkgU5hLZX+G\r\n"
-  "Z0jkz/tqJOI0vRSdLBbipHnWouyBQ4e/A1yIJdlBtqXxJ1KE/ituHRbNc4j4kL8Z\r\n"
-  "/r6pvwnTI0PSx2Eqs048YdS92LT6qAv4flbNDxMn2uY7s4ycS4Q8w1JXnCeaAnYm\r\n"
-  "WYI5wxO+bvRELR2Mcz5DmVnL8jRyml6l6582bSv5oufReFIbyPZbQWlXgYnpu6He\r\n"
-  "GTc7E1zKYQGG/9+DQUl/1vQuCPqQwny0tQoX2w5tdYpdMdVm+zkLtbajzdTviJJa\r\n"
-  "TWzL6lt5AoGBAN86+SVeJDcmQJcv4Eq6UhtRr4QGMiQMz0Sod6ettYxYzMgxtw28\r\n"
-  "CIrgpozCc+UaZJLo7UxvC6an85r1b2nKPCLQFaggJ0H4Q0J/sZOhBIXaoBzWxveK\r\n"
-  "nupceKdVxGsFi8CDy86DBfiyFivfBj+47BbaQzPBj7C4rK7UlLjab2rDAoGBAN2u\r\n"
-  "AM2gchoFiu4v1HFL8D7lweEpi6ZnMJjnEu/dEgGQJFjwdpLnPbsj4c75odQ4Gz8g\r\n"
-  "sw9lao9VVzbusoRE/JGI4aTdO0pATXyG7eG1Qu+5Yc1YGXcCrliA2xM9xx+d7f+s\r\n"
-  "mPzN+WIEg5GJDYZDjAzHG5BNvi/FfM1C9dOtjv2dAoGAF0t5KmwbjWHBhcVqO4Ic\r\n"
-  "BVvN3BIlc1ue2YRXEDlxY5b0r8N4XceMgKmW18OHApZxfl8uPDauWZLXOgl4uepv\r\n"
-  "whZC3EuWrSyyICNhLY21Ah7hbIEBPF3L3ZsOwC+UErL+dXWLdB56Jgy3gZaBeW7b\r\n"
-  "vDrEnocJbqCm7IukhXHOBK8CgYEAwqdHB0hqyNSzIOGY7v9abzB6pUdA3BZiQvEs\r\n"
-  "3LjHVd4HPJ2x0N8CgrBIWOE0q8+0hSMmeE96WW/7jD3fPWwCR5zlXknxBQsfv0gP\r\n"
-  "3BC5PR0Qdypz+d+9zfMf625kyit4T/hzwhDveZUzHnk1Cf+IG7Q+TOEnLnWAWBED\r\n"
-  "ISOWmrUCgYAFEmRxgwAc/u+D6t0syCwAYh6POtscq9Y0i9GyWk89NzgC4NdwwbBH\r\n"
-  "4AgahOxIxXx2gxJnq3yfkJfIjwf0s2DyP0kY2y6Ua1OeomPeY9mrIS4tCuDQ6LrE\r\n"
-  "TB6l9VGoxJL4fyHnZb8L5gGvnB1bbD8cL6YPaDiOhcRseC9vBiEuVg==\r\n"
-  "-----END RSA PRIVATE KEY-----\r\n";
+  "-----BEGIN PRIVATE KEY-----\r\n"
+  "MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDgLWTxrUO5K2CC\r\n"
+  "CpPijT18/2wnZ0LnhvGFL9eTZUR9ohnbbZZKjhf+zJFV9XL1hqFykjXMn9EPFplI\r\n"
+  "WGAD6c9kGsUyytQuSt0A6k5WPx4MSn0m5Z07Y4NKgWcK8vFxhYFhzmQevImkRoYm\r\n"
+  "XWwVBJ6yfMwW3L/n21rSy2TQWnyvk2EiNa9Ki8bM+joGHP5VLZx5shmHjHW3aEdo\r\n"
+  "VyCbSomgnoNx5F5YJbzD7I5Wi9OiUYar5ulvYefsydFJnYrY10v5otemRltL8A4M\r\n"
+  "/UUXa9M7WZgvb3Qs7v/nW8mY9c0pINgzLkS8guvn9Wq2OwULBEtDiNwz/4Z4dIAV\r\n"
+  "bHioi/QHAgMBAAECggEBAMzGipP8+oT166U+NlJXRFifFVN1DvdhG9PWnOxGL+c3\r\n"
+  "ILmBBC08WQzmHshPemBvR6DZkA1H23cV5JTiLWrFtC00CvhXsLRMrE5+uWotI6yE\r\n"
+  "iofybMroHvD6/X5R510UX9hQ6MHu5ShLR5VZ9zXHz5MpTmB/60jG5dLx+jgcwBK8\r\n"
+  "LuGv2YB/WCUwT9QJ3YU2eaingnXtz/MrFbkbltrqlnBdlD+kTtw6Yac9y1XuuQXc\r\n"
+  "BPeulLNDuPolJVWbUvDBZrpt2dXTgz8ws1sv+wCNE0xwQJsqW4Nx3QkpibUL9RUr\r\n"
+  "CVbKlNfa9lopT6nGKlgX69R/uH35yh9AOsfasro6w0ECgYEA82UJ8u/+ORah+0sF\r\n"
+  "Q0FfW5MTdi7OAUHOz16pUsGlaEv0ERrjZxmAkHA/VRwpvDBpx4alCv0Hc39PFLIk\r\n"
+  "nhSsM2BEuBkTAs6/GaoNAiBtQVE/hN7awNRWVmlieS0go3Y3dzaE9IUMyj8sPOFT\r\n"
+  "5JdJ6BM69PHKCkY3dKdnnfpFEuECgYEA68mRpteunF1mdZgXs+WrN+uLlRrQR20F\r\n"
+  "ZyMYiUCH2Dtn26EzA2moy7FipIIrQcX/j+KhYNGM3e7MU4LymIO29E18mn8JODnH\r\n"
+  "sQOXzBTsf8A4yIVMkcuQD3bfb0JiUGYUPOidTp2N7IJA7+6Yc3vQOyb74lnKnJoO\r\n"
+  "gougPT2wS+cCgYAn7muzb6xFsXDhyW0Tm6YJYBfRS9yAWEuVufINobeBZPSl2cN1\r\n"
+  "Jrnw+HlrfTNbrJWuJmjtZJXUXQ6cVp2rUbjutNyRV4vG6iRwEXYQ40EJdkr1gZpi\r\n"
+  "CHQhuShuuPih2MNAy7EEbM+sXrDjTBR3bFqzuHPzu7dp+BshCFX3lRfAAQKBgGQt\r\n"
+  "K5i7IhCFDjb/+3IPLgOAK7mZvsvZ4eXD33TQ2eZgtut1PXtBtNl17/b85uv293Fm\r\n"
+  "VDISVcsk3eLNS8zIiT6afUoWlxAwXEs0v5WRfjl4radkGvgGiJpJYvyeM67877RB\r\n"
+  "EDSKc/X8ESLfOB44iGvZUEMG6zJFscx9DgN25iQZAoGAbyd+JEWwdVH9/K3IH1t2\r\n"
+  "PBkZX17kNWv+iVM1WyFjbe++vfKZCrOJiyiqhDeEqgrP3AuNMlaaduC3VRC3G5oV\r\n"
+  "Mj1tlhDWQ/qhvKdCKNdIVQYDE75nw+FRWV8yYkHAnXYW3tNoweDIwixE0hkPR1bc\r\n"
+  "oEjPLVNtx8SOj/M4rhaPT3I=\r\n" "-----END PRIVATE KEY-----\r\n";
 const u32 test_srv_key_rsa_len = sizeof (test_srv_key_rsa);
 
 static u8 *
diff --git a/src/vnet/session-apps/echo_client.c b/src/vnet/session-apps/echo_client.c
index 7bf98470df0..5b70d4906bc 100644
--- a/src/vnet/session-apps/echo_client.c
+++ b/src/vnet/session-apps/echo_client.c
@@ -520,14 +520,13 @@ echo_clients_connect (vlib_main_t * vm, u32 n_clients)
   vnet_connect_args_t _a, *a = &_a;
   clib_error_t *error = 0;
   int i;
+
+  memset (a, 0, sizeof (*a));
   for (i = 0; i < n_clients; i++)
     {
-      memset (a, 0, sizeof (*a));
-
       a->uri = (char *) ecm->connect_uri;
       a->api_context = i;
       a->app_index = ecm->app_index;
-      a->mp = 0;
 
       if ((error = vnet_connect_uri (a)))
 	return error;
diff --git a/src/vnet/session-apps/proxy.c b/src/vnet/session-apps/proxy.c
index af490177502..190821780e5 100644
--- a/src/vnet/session-apps/proxy.c
+++ b/src/vnet/session-apps/proxy.c
@@ -220,7 +220,6 @@ proxy_rx_callback (stream_session_t * s)
       a->uri = (char *) pm->client_uri;
       a->api_context = proxy_index;
       a->app_index = pm->active_open_app_index;
-      a->mp = 0;
       vnet_connect_uri (a);
     }
 
diff --git a/src/vnet/session-apps/tls.c b/src/vnet/session-apps/tls.c
index 50c36361f2b..d71dfb43d3c 100644
--- a/src/vnet/session-apps/tls.c
+++ b/src/vnet/session-apps/tls.c
@@ -22,11 +22,13 @@
 #include <mbedtls/timing.h>
 #include <mbedtls/debug.h>
 
-#define TLS_DEBUG (0)
-#define TLS_DEBUG_LEVEL_CLIENT (0)
-#define TLS_DEBUG_LEVEL_SERVER (0)
-#define TLS_CHUNK_SIZE (1 << 14)
-#define TLS_USE_OUR_MEM_FUNCS (0)
+#define TLS_DEBUG 		0
+#define TLS_DEBUG_LEVEL_CLIENT 	0
+#define TLS_DEBUG_LEVEL_SERVER 	0
+
+#define TLS_CHUNK_SIZE 		(1 << 14)
+#define TLS_USE_OUR_MEM_FUNCS	0
+#define TLS_CA_CERT_PATH	"/etc/ssl/certs/ca-certificates.crt"
 
 #if TLS_DEBUG
 #define TLS_DBG(_lvl, _fmt, _args...) 			\
@@ -67,6 +69,8 @@ typedef CLIB_PACKED (struct tls_cxt_id_
 }) tls_ctx_id_t;
 /* *INDENT-ON* */
 
+STATIC_ASSERT (sizeof (tls_ctx_id_t) <= 42, "ctx id must be less than 42");
+
 typedef struct tls_ctx_
 {
   union
@@ -85,6 +89,7 @@ typedef struct tls_ctx_
 #define parent_app_api_context c_s_index
 
   u8 is_passive_close;
+  u8 *srv_hostname;
   mbedtls_ssl_context ssl;
   mbedtls_ssl_config conf;
   mbedtls_x509_crt srvcert;
@@ -101,6 +106,12 @@ typedef struct tls_main_
   tls_ctx_t *half_open_ctx_pool;
   clib_rwlock_t half_open_rwlock;
   mbedtls_x509_crt cacert;
+
+  /*
+   * Config
+   */
+  u8 use_test_cert_in_ca;
+  char *ca_cert_path;
 } tls_main_t;
 
 static tls_main_t tls_main;
@@ -188,6 +199,7 @@ tls_ctx_alloc (void)
 void
 tls_ctx_free (tls_ctx_t * ctx)
 {
+  vec_free (ctx->srv_hostname);
   pool_put_index (tls_main.ctx_pool[vlib_get_thread_index ()],
 		  ctx->tls_ctx_idx);
 }
@@ -416,7 +428,8 @@ tls_ctx_init_client (tls_ctx_t * ctx)
       return -1;
     }
 
-  if ((rv = mbedtls_ssl_set_hostname (&ctx->ssl, "SERVER NAME")) != 0)
+  if ((rv = mbedtls_ssl_set_hostname (&ctx->ssl,
+				      (const char *) ctx->srv_hostname)) != 0)
     {
       TLS_DBG (1, "failed\n  ! mbedtls_ssl_set_hostname returned %d\n", rv);
       return -1;
@@ -424,14 +437,13 @@ tls_ctx_init_client (tls_ctx_t * ctx)
 
   ctx_ptr = uword_to_pointer (ctx->tls_ctx_idx, void *);
   mbedtls_ssl_set_bio (&ctx->ssl, ctx_ptr, tls_net_send, tls_net_recv, NULL);
-
   mbedtls_debug_set_threshold (TLS_DEBUG_LEVEL_CLIENT);
 
   /*
    * 2. Do the first 2 steps in the handshake.
    */
   TLS_DBG (1, "Initiating handshake for [%u]%u", ctx->c_thread_index,
-	   tls_ctx_index (ctx));
+	   ctx->tls_ctx_idx);
   while (ctx->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER)
     {
       rv = mbedtls_ssl_handshake_step (&ctx->ssl);
@@ -439,13 +451,14 @@ tls_ctx_init_client (tls_ctx_t * ctx)
 	break;
     }
   TLS_DBG (2, "tls state for [%u]%u is %u", ctx->c_thread_index,
-	   tls_ctx_index (ctx), ctx->ssl.state);
+	   ctx->tls_ctx_idx, ctx->ssl.state);
   return 0;
 }
 
 static int
 tls_ctx_init_server (tls_ctx_t * ctx)
 {
+  tls_main_t *tm = &tls_main;
   application_t *app;
   void *ctx_ptr;
   int rv;
@@ -468,17 +481,7 @@ tls_ctx_init_server (tls_ctx_t * ctx)
 
   rv = mbedtls_x509_crt_parse (&ctx->srvcert,
 			       (const unsigned char *) app->tls_cert,
-			       mbedtls_test_srv_crt_len);
-  if (rv != 0)
-    {
-      TLS_DBG (1, " failed\n  !  mbedtls_x509_crt_parse returned %d", rv);
-      goto exit;
-    }
-
-  /* TODO clone CA */
-  rv = mbedtls_x509_crt_parse (&ctx->srvcert,
-			       (const unsigned char *) mbedtls_test_cas_pem,
-			       mbedtls_test_cas_pem_len);
+			       vec_len (app->tls_cert));
   if (rv != 0)
     {
       TLS_DBG (1, " failed\n  !  mbedtls_x509_crt_parse returned %d", rv);
@@ -487,7 +490,7 @@ tls_ctx_init_server (tls_ctx_t * ctx)
 
   rv = mbedtls_pk_parse_key (&ctx->pkey,
 			     (const unsigned char *) app->tls_key,
-			     mbedtls_test_srv_key_len, NULL, 0);
+			     vec_len (app->tls_key), NULL, 0);
   if (rv != 0)
     {
       TLS_DBG (1, " failed\n  !  mbedtls_pk_parse_key returned %d", rv);
@@ -515,7 +518,7 @@ tls_ctx_init_server (tls_ctx_t * ctx)
      mbedtls_ssl_cache_set );
    */
 
-  mbedtls_ssl_conf_ca_chain (&ctx->conf, ctx->srvcert.next, NULL);
+  mbedtls_ssl_conf_ca_chain (&ctx->conf, &tm->cacert, NULL);
   if ((rv = mbedtls_ssl_conf_own_cert (&ctx->conf, &ctx->srvcert, &ctx->pkey))
       != 0)
     {
@@ -539,7 +542,7 @@ tls_ctx_init_server (tls_ctx_t * ctx)
    * 3. Start handshake state machine
    */
   TLS_DBG (1, "Initiating handshake for [%u]%u", ctx->c_thread_index,
-	   tls_ctx_index (ctx));
+	   ctx->tls_ctx_idx);
   while (ctx->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER)
     {
       rv = mbedtls_ssl_handshake_step (&ctx->ssl);
@@ -548,7 +551,7 @@ tls_ctx_init_server (tls_ctx_t * ctx)
     }
 
   TLS_DBG (2, "tls state for [%u]%u is %u", ctx->c_thread_index,
-	   tls_ctx_index (ctx), ctx->ssl.state);
+	   ctx->tls_ctx_idx, ctx->ssl.state);
   return 0;
 
 exit:
@@ -585,7 +588,7 @@ tls_notify_app_accept (tls_ctx_t * ctx)
 }
 
 static int
-tls_notify_app_connected (tls_ctx_t * ctx)
+tls_notify_app_connected (tls_ctx_t * ctx, u8 is_failed)
 {
   int (*cb_fn) (u32, u32, stream_session_t *, u8);
   stream_session_t *app_session;
@@ -595,6 +598,9 @@ tls_notify_app_connected (tls_ctx_t * ctx)
   app = application_get (ctx->parent_app_index);
   cb_fn = app->cb_fns.session_connected_callback;
 
+  if (is_failed)
+    goto failed;
+
   sm = application_get_connect_segment_manager (app);
   app_session = session_alloc (vlib_get_thread_index ());
   app_session->app_index = ctx->parent_app_index;
@@ -632,7 +638,7 @@ tls_handshake_rx (tls_ctx_t * ctx)
       if (rv != 0)
 	break;
     }
-  TLS_DBG (2, "tls state for %u is %u", tls_ctx_index (ctx), ctx->ssl.state);
+  TLS_DBG (2, "tls state for %u is %u", ctx->tls_ctx_idx, ctx->ssl.state);
 
   if (ctx->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER)
     return 0;
@@ -652,12 +658,17 @@ tls_handshake_rx (tls_ctx_t * ctx)
 	  mbedtls_x509_crt_verify_info (buf, sizeof (buf), "  ! ", flags);
 	  TLS_DBG (1, "%s\n", buf);
 
-	  /* For testing purposes not enforcing this */
-	  /* tls_disconnect (tls_ctx_index (ctx), vlib_get_thread_index ());
-	     return -1;
+	  /*
+	   * Presence of hostname enforces strict certificate verification
 	   */
+	  if (ctx->srv_hostname)
+	    {
+	      tls_disconnect (ctx->tls_ctx_idx, vlib_get_thread_index ());
+	      tls_notify_app_connected (ctx, /* is failed */ 1);
+	      return -1;
+	    }
 	}
-      tls_notify_app_connected (ctx);
+      tls_notify_app_connected (ctx, /* is failed */ 0);
     }
   else
     {
@@ -665,7 +676,7 @@ tls_handshake_rx (tls_ctx_t * ctx)
     }
 
   TLS_DBG (1, "Handshake for %u complete. TLS cipher is %x",
-	   tls_ctx_index (ctx), ctx->ssl.session->ciphersuite);
+	   ctx->tls_ctx_idx, ctx->ssl.session->ciphersuite);
   return 0;
 }
 
@@ -899,6 +910,11 @@ tls_connect (transport_endpoint_t * tep)
   ctx->parent_app_index = sep->app_index;
   ctx->parent_app_api_context = sep->opaque;
   ctx->tcp_is_ip4 = sep->is_ip4;
+  if (sep->hostname)
+    {
+      ctx->srv_hostname = format (0, "%v", sep->hostname);
+      vec_terminate_c_string (ctx->srv_hostname);
+    }
   tls_ctx_half_open_reader_unlock ();
 
   app = application_get (sep->app_index);
@@ -1101,17 +1117,33 @@ tls_init_ca_chain (void)
   tls_main_t *tm = &tls_main;
   int rv;
 
-  /* TODO config */
+  if (!tm->ca_cert_path)
+    tm->ca_cert_path = TLS_CA_CERT_PATH;
+
+  if (access (tm->ca_cert_path, F_OK | R_OK) == -1)
+    {
+      clib_warning ("Could not initialize TLS CA certificates");
+      return -1;
+    }
+
   mbedtls_x509_crt_init (&tm->cacert);
-  rv = mbedtls_x509_crt_parse (&tm->cacert,
-			       (const unsigned char *) mbedtls_test_cas_pem,
-			       mbedtls_test_cas_pem_len);
+  rv = mbedtls_x509_crt_parse_file (&tm->cacert, tm->ca_cert_path);
   if (rv < 0)
     {
-      clib_warning ("mbedtls_x509_crt_parse returned -0x%x", -rv);
-      return -1;
+      clib_warning ("Couldn't parse system CA certificates: -0x%x", -rv);
     }
-  return 0;
+  if (tm->use_test_cert_in_ca)
+    {
+      rv = mbedtls_x509_crt_parse (&tm->cacert,
+				   (const unsigned char *) test_srv_crt_rsa,
+				   test_srv_crt_rsa_len);
+      if (rv < 0)
+	{
+	  clib_warning ("Couldn't parse test certificate: -0x%x", -rv);
+	  return -1;
+	}
+    }
+  return (rv < 0 ? -1 : 0);
 }
 
 clib_error_t *
@@ -1175,6 +1207,24 @@ tls_init (vlib_main_t * vm)
 
 VLIB_INIT_FUNCTION (tls_init);
 
+static clib_error_t *
+tls_config_fn (vlib_main_t * vm, unformat_input_t * input)
+{
+  tls_main_t *tm = &tls_main;
+  while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
+    {
+      if (unformat (input, "use-test-cert-in-ca"))
+	tm->use_test_cert_in_ca = 1;
+      else if (unformat (input, "ca-cert-path %s", &tm->ca_cert_path))
+	;
+      else
+	return clib_error_return (0, "unknown input `%U'",
+				  format_unformat_error, input);
+    }
+  return 0;
+}
+
+VLIB_EARLY_CONFIG_FUNCTION (tls_config_fn, "tls");
 /*
  * fd.io coding-style-patch-verification: ON
  *
diff --git a/src/vnet/session/application_interface.c b/src/vnet/session/application_interface.c
index 12a5701fdf3..dbd5e49417f 100644
--- a/src/vnet/session/application_interface.c
+++ b/src/vnet/session/application_interface.c
@@ -27,54 +27,58 @@
  */
 const char test_srv_crt_rsa[] =
   "-----BEGIN CERTIFICATE-----\r\n"
-  "MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n"
-  "MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n"
-  "MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n"
-  "A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN\r\n"
-  "AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN\r\n"
-  "owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz\r\n"
-  "NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM\r\n"
-  "tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P\r\n"
-  "hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya\r\n"
-  "HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD\r\n"
-  "VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw\r\n"
-  "FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQEFBQADggEBAJxnXClY\r\n"
-  "oHkbp70cqBrsGXLybA74czbO5RdLEgFs7rHVS9r+c293luS/KdliLScZqAzYVylw\r\n"
-  "UfRWvKMoWhHYKp3dEIS4xTXk6/5zXxhv9Rw8SGc8qn6vITHk1S1mPevtekgasY5Y\r\n"
-  "iWQuM3h4YVlRH3HHEMAD1TnAexfXHHDFQGe+Bd1iAbz1/sH9H8l4StwX6egvTK3M\r\n"
-  "wXRwkKkvjKaEDA9ATbZx0mI8LGsxSuCqe9r9dyjmttd47J1p1Rulz3CLzaRcVIuS\r\n"
-  "RRQfaD8neM9c1S/iJ/amTVqJxA1KOdOS5780WhPfSArA+g4qAmSjelc3p4wWpha8\r\n"
-  "zhuYwjVuX6JHG0c=\r\n" "-----END CERTIFICATE-----\r\n";
+  "MIID5zCCAs+gAwIBAgIJALeMYCEHrTtJMA0GCSqGSIb3DQEBCwUAMIGJMQswCQYD\r\n"
+  "VQQGEwJVUzELMAkGA1UECAwCQ0ExETAPBgNVBAcMCFNhbiBKb3NlMQ4wDAYDVQQK\r\n"
+  "DAVDaXNjbzEOMAwGA1UECwwFZmQuaW8xFjAUBgNVBAMMDXRlc3R0bHMuZmQuaW8x\r\n"
+  "IjAgBgkqhkiG9w0BCQEWE3ZwcC1kZXZAbGlzdHMuZmQuaW8wHhcNMTgwMzA1MjEx\r\n"
+  "NTEyWhcNMjgwMzAyMjExNTEyWjCBiTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNB\r\n"
+  "MREwDwYDVQQHDAhTYW4gSm9zZTEOMAwGA1UECgwFQ2lzY28xDjAMBgNVBAsMBWZk\r\n"
+  "LmlvMRYwFAYDVQQDDA10ZXN0dGxzLmZkLmlvMSIwIAYJKoZIhvcNAQkBFhN2cHAt\r\n"
+  "ZGV2QGxpc3RzLmZkLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\r\n"
+  "4C1k8a1DuStgggqT4o09fP9sJ2dC54bxhS/Xk2VEfaIZ222WSo4X/syRVfVy9Yah\r\n"
+  "cpI1zJ/RDxaZSFhgA+nPZBrFMsrULkrdAOpOVj8eDEp9JuWdO2ODSoFnCvLxcYWB\r\n"
+  "Yc5kHryJpEaGJl1sFQSesnzMFty/59ta0stk0Fp8r5NhIjWvSovGzPo6Bhz+VS2c\r\n"
+  "ebIZh4x1t2hHaFcgm0qJoJ6DceReWCW8w+yOVovTolGGq+bpb2Hn7MnRSZ2K2NdL\r\n"
+  "+aLXpkZbS/AODP1FF2vTO1mYL290LO7/51vJmPXNKSDYMy5EvILr5/VqtjsFCwRL\r\n"
+  "Q4jcM/+GeHSAFWx4qIv0BwIDAQABo1AwTjAdBgNVHQ4EFgQUWa1SOB37xmT53tZQ\r\n"
+  "aXuLLhRI7U8wHwYDVR0jBBgwFoAUWa1SOB37xmT53tZQaXuLLhRI7U8wDAYDVR0T\r\n"
+  "BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAoUht13W4ya27NVzQuCMvqPWL3VM4\r\n"
+  "3xbPFk02FaGz/WupPu276zGlzJAZrbuDcQowwwU1Ni1Yygxl96s1c2M5rHDTrOKG\r\n"
+  "rK0hbkSFBo+i6I8u4HiiQ4rYmG0Hv6+sXn3of0HsbtDPGgWZoipPWDljPYEURu3e\r\n"
+  "3HRe/Dtsj9CakBoSDzs8ndWaBR+f4sM9Tk1cjD46Gq2T/qpSPXqKxEUXlzhdCAn4\r\n"
+  "twub17Bq2kykHpppCwPg5M+v30tHG/R2Go15MeFWbEJthFk3TZMjKL7UFs7fH+x2\r\n"
+  "wSonXb++jY+KmCb93C+soABBizE57g/KmiR2IxQ/LMjDik01RSUIaM0lLA==\r\n"
+  "-----END CERTIFICATE-----\r\n";
 const u32 test_srv_crt_rsa_len = sizeof (test_srv_crt_rsa);
 
 const char test_srv_key_rsa[] =
-  "-----BEGIN RSA PRIVATE KEY-----\r\n"
-  "MIIEpAIBAAKCAQEAwU2j3efNHdEE10lyuJmsDnjkOjxKzzoTFtBa5M2jAIin7h5r\r\n"
-  "lqdStJDvLXJ6PiSa/LY0rCT1d+AmZIycsCh9odrqjObJHJa8/sEEUrM21KP64bF2\r\n"
-  "2JDBYbRmUjaiJlOqq3ReB30Zgtsq2B+g2Q0cLUlm91slc0boC4pPaQy1AJDh2oIQ\r\n"
-  "Zn2uVCuLZXmRoeJhw81ASQjuaAzxi4bSRr/QuKoRAx5/VqgaHkQYDw+Fi9qLRF7i\r\n"
-  "GMZiL8dmjfpd2H3zJ4kpAcWQDj8n8TDISg7v1t7HxydrxwU9esQCPJodPg/oNJhb\r\n"
-  "y3NLUpbYEaIsgIhpOVrTD7DeWS8Rx/fqEgEwlwIDAQABAoIBAQCXR0S8EIHFGORZ\r\n"
-  "++AtOg6eENxD+xVs0f1IeGz57Tjo3QnXX7VBZNdj+p1ECvhCE/G7XnkgU5hLZX+G\r\n"
-  "Z0jkz/tqJOI0vRSdLBbipHnWouyBQ4e/A1yIJdlBtqXxJ1KE/ituHRbNc4j4kL8Z\r\n"
-  "/r6pvwnTI0PSx2Eqs048YdS92LT6qAv4flbNDxMn2uY7s4ycS4Q8w1JXnCeaAnYm\r\n"
-  "WYI5wxO+bvRELR2Mcz5DmVnL8jRyml6l6582bSv5oufReFIbyPZbQWlXgYnpu6He\r\n"
-  "GTc7E1zKYQGG/9+DQUl/1vQuCPqQwny0tQoX2w5tdYpdMdVm+zkLtbajzdTviJJa\r\n"
-  "TWzL6lt5AoGBAN86+SVeJDcmQJcv4Eq6UhtRr4QGMiQMz0Sod6ettYxYzMgxtw28\r\n"
-  "CIrgpozCc+UaZJLo7UxvC6an85r1b2nKPCLQFaggJ0H4Q0J/sZOhBIXaoBzWxveK\r\n"
-  "nupceKdVxGsFi8CDy86DBfiyFivfBj+47BbaQzPBj7C4rK7UlLjab2rDAoGBAN2u\r\n"
-  "AM2gchoFiu4v1HFL8D7lweEpi6ZnMJjnEu/dEgGQJFjwdpLnPbsj4c75odQ4Gz8g\r\n"
-  "sw9lao9VVzbusoRE/JGI4aTdO0pATXyG7eG1Qu+5Yc1YGXcCrliA2xM9xx+d7f+s\r\n"
-  "mPzN+WIEg5GJDYZDjAzHG5BNvi/FfM1C9dOtjv2dAoGAF0t5KmwbjWHBhcVqO4Ic\r\n"
-  "BVvN3BIlc1ue2YRXEDlxY5b0r8N4XceMgKmW18OHApZxfl8uPDauWZLXOgl4uepv\r\n"
-  "whZC3EuWrSyyICNhLY21Ah7hbIEBPF3L3ZsOwC+UErL+dXWLdB56Jgy3gZaBeW7b\r\n"
-  "vDrEnocJbqCm7IukhXHOBK8CgYEAwqdHB0hqyNSzIOGY7v9abzB6pUdA3BZiQvEs\r\n"
-  "3LjHVd4HPJ2x0N8CgrBIWOE0q8+0hSMmeE96WW/7jD3fPWwCR5zlXknxBQsfv0gP\r\n"
-  "3BC5PR0Qdypz+d+9zfMf625kyit4T/hzwhDveZUzHnk1Cf+IG7Q+TOEnLnWAWBED\r\n"
-  "ISOWmrUCgYAFEmRxgwAc/u+D6t0syCwAYh6POtscq9Y0i9GyWk89NzgC4NdwwbBH\r\n"
-  "4AgahOxIxXx2gxJnq3yfkJfIjwf0s2DyP0kY2y6Ua1OeomPeY9mrIS4tCuDQ6LrE\r\n"
-  "TB6l9VGoxJL4fyHnZb8L5gGvnB1bbD8cL6YPaDiOhcRseC9vBiEuVg==\r\n"
-  "-----END RSA PRIVATE KEY-----\r\n";
+  "-----BEGIN PRIVATE KEY-----\r\n"
+  "MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDgLWTxrUO5K2CC\r\n"
+  "CpPijT18/2wnZ0LnhvGFL9eTZUR9ohnbbZZKjhf+zJFV9XL1hqFykjXMn9EPFplI\r\n"
+  "WGAD6c9kGsUyytQuSt0A6k5WPx4MSn0m5Z07Y4NKgWcK8vFxhYFhzmQevImkRoYm\r\n"
+  "XWwVBJ6yfMwW3L/n21rSy2TQWnyvk2EiNa9Ki8bM+joGHP5VLZx5shmHjHW3aEdo\r\n"
+  "VyCbSomgnoNx5F5YJbzD7I5Wi9OiUYar5ulvYefsydFJnYrY10v5otemRltL8A4M\r\n"
+  "/UUXa9M7WZgvb3Qs7v/nW8mY9c0pINgzLkS8guvn9Wq2OwULBEtDiNwz/4Z4dIAV\r\n"
+  "bHioi/QHAgMBAAECggEBAMzGipP8+oT166U+NlJXRFifFVN1DvdhG9PWnOxGL+c3\r\n"
+  "ILmBBC08WQzmHshPemBvR6DZkA1H23cV5JTiLWrFtC00CvhXsLRMrE5+uWotI6yE\r\n"
+  "iofybMroHvD6/X5R510UX9hQ6MHu5ShLR5VZ9zXHz5MpTmB/60jG5dLx+jgcwBK8\r\n"
+  "LuGv2YB/WCUwT9QJ3YU2eaingnXtz/MrFbkbltrqlnBdlD+kTtw6Yac9y1XuuQXc\r\n"
+  "BPeulLNDuPolJVWbUvDBZrpt2dXTgz8ws1sv+wCNE0xwQJsqW4Nx3QkpibUL9RUr\r\n"
+  "CVbKlNfa9lopT6nGKlgX69R/uH35yh9AOsfasro6w0ECgYEA82UJ8u/+ORah+0sF\r\n"
+  "Q0FfW5MTdi7OAUHOz16pUsGlaEv0ERrjZxmAkHA/VRwpvDBpx4alCv0Hc39PFLIk\r\n"
+  "nhSsM2BEuBkTAs6/GaoNAiBtQVE/hN7awNRWVmlieS0go3Y3dzaE9IUMyj8sPOFT\r\n"
+  "5JdJ6BM69PHKCkY3dKdnnfpFEuECgYEA68mRpteunF1mdZgXs+WrN+uLlRrQR20F\r\n"
+  "ZyMYiUCH2Dtn26EzA2moy7FipIIrQcX/j+KhYNGM3e7MU4LymIO29E18mn8JODnH\r\n"
+  "sQOXzBTsf8A4yIVMkcuQD3bfb0JiUGYUPOidTp2N7IJA7+6Yc3vQOyb74lnKnJoO\r\n"
+  "gougPT2wS+cCgYAn7muzb6xFsXDhyW0Tm6YJYBfRS9yAWEuVufINobeBZPSl2cN1\r\n"
+  "Jrnw+HlrfTNbrJWuJmjtZJXUXQ6cVp2rUbjutNyRV4vG6iRwEXYQ40EJdkr1gZpi\r\n"
+  "CHQhuShuuPih2MNAy7EEbM+sXrDjTBR3bFqzuHPzu7dp+BshCFX3lRfAAQKBgGQt\r\n"
+  "K5i7IhCFDjb/+3IPLgOAK7mZvsvZ4eXD33TQ2eZgtut1PXtBtNl17/b85uv293Fm\r\n"
+  "VDISVcsk3eLNS8zIiT6afUoWlxAwXEs0v5WRfjl4radkGvgGiJpJYvyeM67877RB\r\n"
+  "EDSKc/X8ESLfOB44iGvZUEMG6zJFscx9DgN25iQZAoGAbyd+JEWwdVH9/K3IH1t2\r\n"
+  "PBkZX17kNWv+iVM1WyFjbe++vfKZCrOJiyiqhDeEqgrP3AuNMlaaduC3VRC3G5oV\r\n"
+  "Mj1tlhDWQ/qhvKdCKNdIVQYDE75nw+FRWV8yYkHAnXYW3tNoweDIwixE0hkPR1bc\r\n"
+  "oEjPLVNtx8SOj/M4rhaPT3I=\r\n" "-----END PRIVATE KEY-----\r\n";
 const u32 test_srv_key_rsa_len = sizeof (test_srv_key_rsa);
 
 static u8
@@ -315,8 +319,9 @@ global_scope:
 /**
  * unformat a vnet URI
  *
- * transport-proto://ip46-addr:port
- * eg. tcp://ip46-addr:port
+ * transport-proto://[hostname]ip46-addr:port
+ * eg. 	tcp://ip46-addr:port
+ * 	tls://[testtsl.fd.io]ip46-addr:port
  *
  * u8 ip46_address[16];
  * u16  port_in_host_byte_order;
@@ -331,12 +336,21 @@ global_scope:
 uword
 unformat_vnet_uri (unformat_input_t * input, va_list * args)
 {
-  session_endpoint_t *sep = va_arg (*args, session_endpoint_t *);
+  session_endpoint_extended_t *sep = va_arg (*args,
+					     session_endpoint_extended_t *);
   u32 transport_proto = 0, port;
 
-  if (unformat
-      (input, "%U://%U/%d", unformat_transport_proto, &transport_proto,
-       unformat_ip4_address, &sep->ip.ip4, &port))
+  if (unformat (input, "%U://%U/%d", unformat_transport_proto,
+		&transport_proto, unformat_ip4_address, &sep->ip.ip4, &port))
+    {
+      sep->transport_proto = transport_proto;
+      sep->port = clib_host_to_net_u16 (port);
+      sep->is_ip4 = 1;
+      return 1;
+    }
+  else if (unformat (input, "%U://[%s]%U/%d", unformat_transport_proto,
+		     &transport_proto, &sep->hostname, unformat_ip4_address,
+		     &sep->ip.ip4, &port))
     {
       sep->transport_proto = transport_proto;
       sep->port = clib_host_to_net_u16 (port);
@@ -352,14 +366,23 @@ unformat_vnet_uri (unformat_input_t * input, va_list * args)
       sep->is_ip4 = 0;
       return 1;
     }
+  else if (unformat (input, "%U://[%s]%U/%d", unformat_transport_proto,
+		     &transport_proto, &sep->hostname, unformat_ip6_address,
+		     &sep->ip.ip6, &port))
+    {
+      sep->transport_proto = transport_proto;
+      sep->port = clib_host_to_net_u16 (port);
+      sep->is_ip4 = 0;
+      return 1;
+    }
   return 0;
 }
 
 static u8 *cache_uri;
-static session_endpoint_t *cache_sep;
+static session_endpoint_extended_t *cache_sep;
 
 int
-parse_uri (char *uri, session_endpoint_t * sep)
+parse_uri (char *uri, session_endpoint_extended_t * sep)
 {
   unformat_input_t _input, *input = &_input;
 
@@ -483,20 +506,20 @@ vnet_application_detach (vnet_app_detach_args_t * a)
 int
 vnet_bind_uri (vnet_bind_args_t * a)
 {
-  session_endpoint_t sep = SESSION_ENDPOINT_NULL;
+  session_endpoint_extended_t sep = SESSION_ENDPOINT_EXT_NULL;
   int rv;
 
   rv = parse_uri (a->uri, &sep);
   if (rv)
     return rv;
 
-  return vnet_bind_i (a->app_index, &sep, &a->handle);
+  return vnet_bind_i (a->app_index, (session_endpoint_t *) & sep, &a->handle);
 }
 
 int
 vnet_unbind_uri (vnet_unbind_args_t * a)
 {
-  session_endpoint_t sep = SESSION_ENDPOINT_NULL;
+  session_endpoint_extended_t sep = SESSION_ENDPOINT_EXT_NULL;
   stream_session_t *listener;
   int rv;
 
@@ -505,7 +528,7 @@ vnet_unbind_uri (vnet_unbind_args_t * a)
     return rv;
 
   /* NOTE: only default table supported for uri */
-  listener = session_lookup_listener (0, &sep);
+  listener = session_lookup_listener (0, (session_endpoint_t *) & sep);
   if (!listener)
     return VNET_API_ERROR_ADDRESS_NOT_IN_USE;
 
@@ -515,7 +538,7 @@ vnet_unbind_uri (vnet_unbind_args_t * a)
 clib_error_t *
 vnet_connect_uri (vnet_connect_args_t * a)
 {
-  session_endpoint_t sep = SESSION_ENDPOINT_NULL;
+  session_endpoint_extended_t sep = SESSION_ENDPOINT_EXT_NULL;
   int rv;
 
   /* Parse uri */
@@ -523,7 +546,8 @@ vnet_connect_uri (vnet_connect_args_t * a)
   if (rv)
     return clib_error_return_code (0, rv, 0, "app init: %d", rv);
 
-  if ((rv = application_connect (a->app_index, a->api_context, &sep)))
+  if ((rv = application_connect (a->app_index, a->api_context,
+				 (session_endpoint_t *) & sep)))
     return clib_error_return_code (0, rv, 0, "connect failed");
   return 0;
 }
@@ -579,7 +603,7 @@ vnet_unbind (vnet_unbind_args_t * a)
 clib_error_t *
 vnet_connect (vnet_connect_args_t * a)
 {
-  session_endpoint_t *sep = &a->sep;
+  session_endpoint_t *sep = (session_endpoint_t *) & a->sep;
   int rv;
 
   if ((rv = application_connect (a->app_index, a->api_context, sep)))
diff --git a/src/vnet/session/application_interface.h b/src/vnet/session/application_interface.h
index 2ab09d6f52d..deddb648630 100644
--- a/src/vnet/session/application_interface.h
+++ b/src/vnet/session/application_interface.h
@@ -83,13 +83,11 @@ typedef struct _vnet_connect_args
   union
   {
     char *uri;
-    session_endpoint_t sep;
+    session_endpoint_extended_t sep;
   };
   u32 app_index;
   u32 api_context;
 
-  /* Used for redirects */
-  void *mp;
   session_handle_t session_handle;
 } vnet_connect_args_t;
 
diff --git a/src/vnet/session/session.api b/src/vnet/session/session.api
index 336b51cd333..bf88e82f336 100644
--- a/src/vnet/session/session.api
+++ b/src/vnet/session/session.api
@@ -13,7 +13,7 @@
  * limitations under the License.
  */
 
-option version = "1.0.1";
+option version = "1.0.2";
 
 /** \brief client->vpp, attach application to session layer
     @param client_index - opaque cookie to identify the sender
@@ -292,6 +292,9 @@ autoreply define unbind_sock {
     @param ip - ip address
     @param port - port 
     @param proto - protocol 0 - TCP 1 - UDP
+    @param hostname-len - length of hostname
+    @param hostname - destination's hostname. If present, used by protocols
+					  like tls.
 */
 autoreply define connect_sock {
   u32 client_index;
@@ -303,6 +306,8 @@ autoreply define connect_sock {
   u8 ip[16];
   u16 port;
   u8 proto;
+  u8 hostname_len;
+  u8 hostname[hostname_len];
 };
 
 /** \brief Bind reply
diff --git a/src/vnet/session/session.c b/src/vnet/session/session.c
index 09e3ded6dff..d4220d4ae6b 100644
--- a/src/vnet/session/session.c
+++ b/src/vnet/session/session.c
@@ -878,12 +878,11 @@ session_open_vc (u32 app_index, session_endpoint_t * rmt, u32 opaque)
 int
 session_open_app (u32 app_index, session_endpoint_t * rmt, u32 opaque)
 {
-  session_endpoint_extended_t sep;
-  clib_memcpy (&sep, rmt, sizeof (*rmt));
-  sep.app_index = app_index;
-  sep.opaque = opaque;
+  session_endpoint_extended_t *sep = (session_endpoint_extended_t *) rmt;
+  sep->app_index = app_index;
+  sep->opaque = opaque;
 
-  return tp_vfts[rmt->transport_proto].open ((transport_endpoint_t *) & sep);
+  return tp_vfts[rmt->transport_proto].open ((transport_endpoint_t *) sep);
 }
 
 typedef int (*session_open_service_fn) (u32, session_endpoint_t *, u32);
diff --git a/src/vnet/session/session_api.c b/src/vnet/session/session_api.c
index 6694a40c348..b25911eb306 100755
--- a/src/vnet/session/session_api.c
+++ b/src/vnet/session/session_api.c
@@ -561,12 +561,10 @@ vl_api_connect_uri_t_handler (vl_api_connect_uri_t * mp)
       a->uri = (char *) mp->uri;
       a->api_context = mp->context;
       a->app_index = app->index;
-      a->mp = mp;
       if ((error = vnet_connect_uri (a)))
 	{
 	  rv = clib_error_get_code (error);
-	  if (rv != VNET_API_ERROR_SESSION_REDIRECT)
-	    clib_error_report (error);
+	  clib_error_report (error);
 	}
     }
   else
@@ -579,7 +577,7 @@ vl_api_connect_uri_t_handler (vl_api_connect_uri_t * mp)
    * the connection is established. In case of the redirects, the reply
    * will come from the server app.
    */
-  if (rv == 0 || rv == VNET_API_ERROR_SESSION_REDIRECT)
+  if (rv == 0)
     return;
 
 done:
@@ -838,6 +836,7 @@ vl_api_connect_sock_t_handler (vl_api_connect_sock_t * mp)
       svm_queue_t *client_q;
       ip46_address_t *ip46 = (ip46_address_t *) mp->ip;
 
+      memset (a, 0, sizeof (*a));
       client_q = vl_api_client_index_to_input_queue (mp->client_index);
       mp->client_queue_address = pointer_to_uword (client_q);
       a->sep.is_ip4 = mp->is_ip4;
@@ -846,22 +845,26 @@ vl_api_connect_sock_t_handler (vl_api_connect_sock_t * mp)
       a->sep.transport_proto = mp->proto;
       a->sep.fib_index = mp->vrf;
       a->sep.sw_if_index = ENDPOINT_INVALID_INDEX;
+      if (mp->hostname_len)
+	{
+	  vec_validate (a->sep.hostname, mp->hostname_len - 1);
+	  clib_memcpy (a->sep.hostname, mp->hostname, mp->hostname_len);
+	}
       a->api_context = mp->context;
       a->app_index = app->index;
-      a->mp = mp;
       if ((error = vnet_connect (a)))
 	{
 	  rv = clib_error_get_code (error);
-	  if (rv != VNET_API_ERROR_SESSION_REDIRECT)
-	    clib_error_report (error);
+	  clib_error_report (error);
 	}
+      vec_free (a->sep.hostname);
     }
   else
     {
       rv = VNET_API_ERROR_APPLICATION_NOT_ATTACHED;
     }
 
-  if (rv == 0 || rv == VNET_API_ERROR_SESSION_REDIRECT)
+  if (rv == 0)
     return;
 
   /* Got some error, relay it */
diff --git a/src/vnet/session/session_test.c b/src/vnet/session/session_test.c
index 91ac351f860..ceac7039940 100644
--- a/src/vnet/session/session_test.c
+++ b/src/vnet/session/session_test.c
@@ -244,10 +244,10 @@ session_test_namespace (vlib_main_t * vm, unformat_input_t * input)
   };
 
   vnet_connect_args_t connect_args = {
-    .sep = client_sep,
     .app_index = 0,
     .api_context = 0,
   };
+  clib_memcpy (&connect_args.sep, &client_sep, sizeof (client_sep));
 
   vnet_unbind_args_t unbind_args = {
     .handle = bind_args.handle,
@@ -1032,10 +1032,10 @@ session_test_rules (vlib_main_t * vm, unformat_input_t * input)
 		" 5.6.7.9/32 4321 in local table should return deny");
 
   vnet_connect_args_t connect_args = {
-    .sep = sep,
     .app_index = attach_args.app_index,
     .api_context = 0,
   };
+  clib_memcpy (&connect_args.sep, &sep, sizeof (sep));
 
   /* Try connecting */
   error = vnet_connect (&connect_args);
@@ -1312,7 +1312,7 @@ session_test_rules (vlib_main_t * vm, unformat_input_t * input)
 
 
   connect_args.app_index = server_index;
-  connect_args.sep = sep;
+  clib_memcpy (&connect_args.sep, &sep, sizeof (sep));
 
   error = vnet_connect (&connect_args);
   SESSION_TEST ((error != 0), "connect should fail");
diff --git a/src/vnet/session/stream_session.h b/src/vnet/session/stream_session.h
index 6f6dce66040..b7a5eee4b12 100644
--- a/src/vnet/session/stream_session.h
+++ b/src/vnet/session/stream_session.h
@@ -141,7 +141,6 @@ typedef struct local_session_
 #define foreach_session_endpoint_fields				\
     foreach_transport_connection_fields				\
     _(u8, transport_proto)					\
-    _(u8, app_proto)						\
 
 typedef struct _session_endpoint
 {
@@ -157,6 +156,7 @@ typedef struct _session_endpoint_extended
 #undef _
   u32 app_index;
   u32 opaque;
+  u8 *hostname;
 } session_endpoint_extended_t;
 
 #define SESSION_IP46_ZERO		\
@@ -173,7 +173,18 @@ typedef struct _session_endpoint_extended
   .is_ip4 = 0,				\
   .port = 0,				\
   .transport_proto = 0,			\
-  .app_proto = 0,			\
+}
+#define SESSION_ENDPOINT_EXT_NULL 	\
+{					\
+  .sw_if_index = ENDPOINT_INVALID_INDEX,	\
+  .ip = SESSION_IP46_ZERO,		\
+  .fib_index = ENDPOINT_INVALID_INDEX,	\
+  .is_ip4 = 0,				\
+  .port = 0,				\
+  .transport_proto = 0,			\
+  .app_index = ENDPOINT_INVALID_INDEX,	\
+  .opaque = ENDPOINT_INVALID_INDEX,	\
+  .hostname = 0,				\
 }
 
 #define session_endpoint_to_transport(_sep) ((transport_endpoint_t *)_sep)