Merge pull request #735 from jboeuf/fix_ssl_san

Verifying the peer name on the X509 Certs correctly.

build.json

@@ -1579,6 +1579,20 @@
         "gpr"
       ]
     },
+    {
+      "name": "transport_security_test",
+      "build": "test",
+      "language": "c",
+      "src": [
+        "test/core/tsi/transport_security_test.c"
+      ],
+      "deps": [
+        "grpc_test_util",
+        "grpc",
+        "gpr_test_util",
+        "gpr"
+      ]
+    },
     {
       "name": "async_end2end_test",
       "build": "test",

src/core/tsi/ssl_transport_security.c

@@ -180,6 +180,30 @@ static void ssl_info_callback(const SSL* ssl, int where, int ret) {
   ssl_log_where_info(ssl, where, SSL_CB_HANDSHAKE_DONE, "HANDSHAKE DONE");
 }
 
+/* Returns 1 if name looks like an IP address, 0 otherwise.
+   This is a very rough heuristic as it does not handle IPV6 or things like:
+   0300.0250.00.01, 0xC0.0Xa8.0x0.0x1, 000030052000001, 0xc0.052000001 */
+static int looks_like_ip_address(const char *name) {
+  size_t i;
+  size_t dot_count = 0;
+  size_t num_size = 0;
+  for (i = 0; i < strlen(name); i++) {
+    if (name[i] >= '0' && name[i] <= '9') {
+      if (num_size > 3) return 0;
+      num_size++;
+    } else if (name[i] == '.') {
+      if (dot_count > 3 || num_size == 0) return 0;
+      dot_count++;
+      num_size = 0;
+    } else {
+      return 0;
+    }
+  }
+  if (dot_count < 3 || num_size == 0) return 0;
+  return 1;
+}
+
+
 /* Gets the subject CN from an X509 cert. */
 static tsi_result ssl_get_x509_common_name(X509* cert, unsigned char** utf8,
                                            size_t* utf8_size) {
@@ -226,10 +250,18 @@ static tsi_result peer_property_from_x509_common_name(
   size_t common_name_size;
   tsi_result result =
       ssl_get_x509_common_name(cert, &common_name, &common_name_size);
-  if (result != TSI_OK) return result;
+  if (result != TSI_OK) {
+    if (result == TSI_NOT_FOUND) {
+      common_name = NULL;
+      common_name_size = 0;
+    } else {
+      return result;
+    }
+  }
   result = tsi_construct_string_peer_property(
-      TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, (const char*)common_name,
-      common_name_size, property);
+      TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY,
+      common_name == NULL ? "" : (const char*)common_name, common_name_size,
+      property);
   OPENSSL_free(common_name);
   return result;
 }
@@ -1036,9 +1068,22 @@ static void ssl_server_handshaker_factory_destroy(
 
 static int does_entry_match_name(const char* entry, size_t entry_length,
                                  const char* name) {
+  const char *dot;
   const char* name_subdomain = NULL;
+  size_t name_length = strlen(name);
+  size_t name_subdomain_length;
   if (entry_length == 0) return 0;
-  if (!strncmp(name, entry, entry_length) && (strlen(name) == entry_length)) {
+
+  /* Take care of '.' terminations. */
+  if (name[name_length - 1] == '.') {
+    name_length--;
+  }
+  if (entry[entry_length - 1] == '.') {
+    entry_length--;
+    if (entry_length == 0) return 0;
+  }
+
+  if ((name_length == entry_length) && !strncmp(name, entry, entry_length)) {
     return 1; /* Perfect match. */
   }
   if (entry[0] != '*') return 0;
@@ -1049,18 +1094,28 @@ static int does_entry_match_name(const char* entry, size_t entry_length,
     return 0;
   }
   name_subdomain = strchr(name, '.');
-  if (name_subdomain == NULL || strlen(name_subdomain) < 2) return 0;
+  name_subdomain_length = strlen(name_subdomain);
+  if (name_subdomain == NULL || name_subdomain_length < 2) return 0;
   name_subdomain++; /* Starts after the dot. */
+  name_subdomain_length--;
   entry += 2;       /* Remove *. */
   entry_length -= 2;
-  return (!strncmp(entry, name_subdomain, entry_length) &&
-          (strlen(name_subdomain) == entry_length));
+  dot = strchr(name_subdomain, '.');
+  if ((dot == NULL) || (dot == &name_subdomain[name_subdomain_length - 1])) {
+    gpr_log(GPR_ERROR, "Invalid toplevel subdomain: %s", name_subdomain);
+    return 0;
+  }
+  if (name_subdomain[name_subdomain_length - 1] == '.') {
+    name_subdomain_length--;
+  }
+  return ((entry_length > 0) && (name_subdomain_length == entry_length) &&
+          !strncmp(entry, name_subdomain, entry_length));
 }
 
 static int ssl_server_handshaker_factory_servername_callback(SSL* ssl, int* ap,
                                                              void* arg) {
   tsi_ssl_server_handshaker_factory* impl =
-      (tsi_ssl_server_handshaker_factory*)arg;
+     (tsi_ssl_server_handshaker_factory*)arg;
   size_t i = 0;
   const char* servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
   if (servername == NULL || strlen(servername) == 0) {
@@ -1283,17 +1338,13 @@ tsi_result tsi_create_ssl_server_handshaker_factory(
 
 int tsi_ssl_peer_matches_name(const tsi_peer* peer, const char* name) {
   size_t i = 0;
-  const tsi_peer_property* property = tsi_peer_get_property_by_name(
-      peer, TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY);
-  if (property == NULL || property->type != TSI_PEER_PROPERTY_TYPE_STRING) {
-    gpr_log(GPR_ERROR, "Invalid x509 subject common name property.");
-    return 0;
-  }
-  if (does_entry_match_name(property->value.string.data,
-                            property->value.string.length, name)) {
-    return 1;
-  }
+  size_t san_count = 0;
+  const tsi_peer_property* property = NULL;
 
+  /* For now reject what looks like an IP address. */
+  if (looks_like_ip_address(name)) return 0;
+
+  /* Check the SAN first. */
   property = tsi_peer_get_property_by_name(
       peer, TSI_X509_SUBJECT_ALTERNATIVE_NAMES_PEER_PROPERTY);
   if (property == NULL || property->type != TSI_PEER_PROPERTY_TYPE_LIST) {
@@ -1301,7 +1352,8 @@ int tsi_ssl_peer_matches_name(const tsi_peer* peer, const char* name) {
     return 0;
   }
 
-  for (i = 0; i < property->value.list.child_count; i++) {
+  san_count = property->value.list.child_count;
+  for (i = 0; i < san_count; i++) {
     const tsi_peer_property* alt_name_property =
         &property->value.list.children[i];
     if (alt_name_property->type != TSI_PEER_PROPERTY_TYPE_STRING) {
@@ -1313,5 +1365,20 @@ int tsi_ssl_peer_matches_name(const tsi_peer* peer, const char* name) {
       return 1;
     }
   }
+
+  /* If there's no SAN, try the CN. */
+  if (san_count == 0) {
+    property = tsi_peer_get_property_by_name(
+        peer, TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY);
+    if (property == NULL || property->type != TSI_PEER_PROPERTY_TYPE_STRING) {
+      gpr_log(GPR_ERROR, "Invalid x509 subject common name property.");
+      return 0;
+    }
+    if (does_entry_match_name(property->value.string.data,
+                              property->value.string.length, name)) {
+      return 1;
+    }
+  }
+
   return 0; /* Not found. */
 }

src/core/tsi/ssl_transport_security.h

@@ -158,7 +158,12 @@ tsi_result tsi_ssl_handshaker_factory_create_handshaker(
    while handshakers created with this factory are still in use.  */
 void tsi_ssl_handshaker_factory_destroy(tsi_ssl_handshaker_factory* self);
 
-/* Util that checks that an ssl peer matches a specific name. */
+/* Util that checks that an ssl peer matches a specific name.
+   Still TODO(jboeuf):
+   - handle mixed case.
+   - handle %encoded chars.
+   - handle public suffix wildchar more strictly (e.g. *.co.uk)
+   - handle IP addresses in SAN. */
 int tsi_ssl_peer_matches_name(const tsi_peer* peer, const char* name);
 
 #ifdef __cplusplus

src/node/test/interop_sanity_test.js

@@ -40,7 +40,7 @@ var server;
 
 var port;
 
-var name_override = 'foo.test.google.com';
+var name_override = 'foo.test.google.fr';
 
 describe('Interop tests', function() {
   before(function(done) {

src/php/tests/interop/interop_client.php

@@ -215,7 +215,7 @@ $stub = new grpc\testing\TestServiceClient(
     new Grpc\BaseStub(
         $server_address,
         [
-            'grpc.ssl_target_name_override' => 'foo.test.google.com',
+            'grpc.ssl_target_name_override' => 'foo.test.google.fr',
             'credentials' => $credentials
          ]));
 

src/php/tests/unit_tests/SecureEndToEndTest.php

@@ -47,7 +47,7 @@ class SecureEndToEndTest extends PHPUnit_Framework_TestCase{
     $this->channel = new Grpc\Channel(
         'localhost:' . $port,
         [
-            'grpc.ssl_target_name_override' => 'foo.test.google.com',
+            'grpc.ssl_target_name_override' => 'foo.test.google.fr',
             'credentials' => $credentials
          ]);
   }

src/ruby/bin/interop/interop_client.rb

@@ -291,7 +291,7 @@ Args = Struct.new(:default_service_account, :host, :host_override,
 # validates the the command line options, returning them as a Hash.
 def parse_args
   args = Args.new
-  args.host_override = 'foo.test.google.com'
+  args.host_override = 'foo.test.google.fr'
   OptionParser.new do |opts|
     opts.on('--oauth_scope scope',
             'Scope for OAuth tokens') { |v| args['oauth_scope'] = v }

src/ruby/bin/math_client.rb

@@ -127,7 +127,7 @@ def main
   if options['secure']
     stub_opts = {
       :creds => test_creds,
-      GRPC::Core::Channel::SSL_TARGET => 'foo.test.google.com'
+      GRPC::Core::Channel::SSL_TARGET => 'foo.test.google.fr'
     }
     p stub_opts
     p options['host']

src/ruby/bin/noproto_client.rb

@@ -89,7 +89,7 @@ def main
   if options['secure']
     stub_opts = {
       :creds => test_creds,
-      GRPC::Core::Channel::SSL_TARGET => 'foo.test.google.com'
+      GRPC::Core::Channel::SSL_TARGET => 'foo.test.google.fr'
     }
     p stub_opts
     p options['host']

src/ruby/spec/client_server_spec.rb

@@ -353,7 +353,7 @@ describe 'the secure http client/server' do
     @server = GRPC::Core::Server.new(@server_queue, nil, server_creds)
     server_port = @server.add_http2_port(server_host, true)
     @server.start
-    args = { Channel::SSL_TARGET => 'foo.test.google.com' }
+    args = { Channel::SSL_TARGET => 'foo.test.google.fr' }
     @ch = Channel.new("0.0.0.0:#{server_port}", args,
                       GRPC::Core::Credentials.new(certs[0], nil, nil))
   end

src/ruby/spec/generic/client_stub_spec.rb

@@ -116,7 +116,7 @@ describe 'ClientStub' do
       host = FAKE_HOST
       blk = proc do
         opts = {
-          GRPC::Core::Channel::SSL_TARGET => 'foo.test.google.com',
+          GRPC::Core::Channel::SSL_TARGET => 'foo.test.google.fr',
           a_channel_arg: 'an_arg',
           creds: GRPC::Core::Credentials.new(certs[0], nil, nil)
         }

test/core/end2end/dualstack_socket_test.c

@@ -112,7 +112,7 @@ void test_connect(const char *server_host, const char *client_host, int port,
   }
 
   /* Send a trivial request. */
-  c = grpc_channel_create_call_old(client, "/foo", "foo.test.google.com",
+  c = grpc_channel_create_call_old(client, "/foo", "foo.test.google.fr",
                                    deadline);
   GPR_ASSERT(c);
 
@@ -126,7 +126,7 @@ void test_connect(const char *server_host, const char *client_host, int port,
 
     GPR_ASSERT(GRPC_CALL_OK == grpc_server_request_call_old(server, tag(100)));
     cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo",
-                             "foo.test.google.com", deadline, NULL);
+                             "foo.test.google.fr", deadline, NULL);
     cq_verify(v_server);
 
     GPR_ASSERT(GRPC_CALL_OK ==

test/core/end2end/fixtures/chttp2_simple_ssl_fullstack.c

@@ -105,7 +105,7 @@ static void chttp2_init_client_simple_ssl_secure_fullstack(
       grpc_ssl_credentials_create(NULL, NULL);
   grpc_arg ssl_name_override = {GRPC_ARG_STRING,
                                 GRPC_SSL_TARGET_NAME_OVERRIDE_ARG,
-                                {"foo.test.google.com"}};
+                                {"foo.test.google.fr"}};
   grpc_channel_args *new_client_args =
       grpc_channel_args_copy_and_add(client_args, &ssl_name_override);
   chttp2_init_client_secure_fullstack(f, new_client_args, ssl_creds);

test/core/end2end/fixtures/chttp2_simple_ssl_with_oauth2_fullstack.c

@@ -107,7 +107,7 @@ static void chttp2_init_client_simple_ssl_with_oauth2_secure_fullstack(
       grpc_composite_credentials_create(ssl_creds, oauth2_creds);
   grpc_arg ssl_name_override = {GRPC_ARG_STRING,
                                 GRPC_SSL_TARGET_NAME_OVERRIDE_ARG,
-                                {"foo.test.google.com"}};
+                                {"foo.test.google.fr"}};
   grpc_channel_args *new_client_args =
       grpc_channel_args_copy_and_add(client_args, &ssl_name_override);
   chttp2_init_client_secure_fullstack(f, new_client_args, ssl_oauth2_creds);

test/core/end2end/tests/cancel_after_accept.c

@@ -132,7 +132,7 @@ static void test_cancel_after_accept(grpc_end2end_test_config config,
   int was_cancelled = 2;
 
   c = grpc_channel_create_call(f.client, f.client_cq, "/foo",
-                               "foo.test.google.com", deadline);
+                               "foo.test.google.fr", deadline);
   GPR_ASSERT(c);
 
   grpc_metadata_array_init(&initial_metadata_recv);

test/core/end2end/tests/cancel_after_accept_and_writes_closed.c

@@ -113,7 +113,7 @@ static void test_cancel_after_accept_and_writes_closed(
   cq_verifier *v_client = cq_verifier_create(f.client_cq);
   cq_verifier *v_server = cq_verifier_create(f.server_cq);
 
-  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.com",
+  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.fr",
                                    deadline);
   GPR_ASSERT(c);
 
@@ -122,7 +122,7 @@ static void test_cancel_after_accept_and_writes_closed(
 
   GPR_ASSERT(GRPC_CALL_OK == grpc_server_request_call_old(f.server, tag(100)));
   cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo",
-                           "foo.test.google.com", deadline, NULL);
+                           "foo.test.google.fr", deadline, NULL);
   cq_verify(v_server);
 
   GPR_ASSERT(GRPC_CALL_OK ==

test/core/end2end/tests/cancel_after_accept_and_writes_closed_legacy.c

@@ -113,7 +113,7 @@ static void test_cancel_after_accept_and_writes_closed(
   cq_verifier *v_client = cq_verifier_create(f.client_cq);
   cq_verifier *v_server = cq_verifier_create(f.server_cq);
 
-  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.com",
+  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.fr",
                                    deadline);
   GPR_ASSERT(c);
 
@@ -121,7 +121,7 @@ static void test_cancel_after_accept_and_writes_closed(
              grpc_call_invoke_old(c, f.client_cq, tag(2), tag(3), 0));
 
   GPR_ASSERT(GRPC_CALL_OK == grpc_server_request_call_old(f.server, tag(100)));
-  cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo", "foo.test.google.com",
+  cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo", "foo.test.google.fr",
                            deadline, NULL);
   cq_verify(v_server);
 

test/core/end2end/tests/cancel_after_accept_legacy.c

@@ -113,7 +113,7 @@ static void test_cancel_after_accept(grpc_end2end_test_config config,
   cq_verifier *v_client = cq_verifier_create(f.client_cq);
   cq_verifier *v_server = cq_verifier_create(f.server_cq);
 
-  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.com",
+  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.fr",
                                    deadline);
   GPR_ASSERT(c);
 
@@ -121,7 +121,7 @@ static void test_cancel_after_accept(grpc_end2end_test_config config,
              grpc_call_invoke_old(c, f.client_cq, tag(2), tag(3), 0));
 
   GPR_ASSERT(GRPC_CALL_OK == grpc_server_request_call_old(f.server, tag(100)));
-  cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo", "foo.test.google.com",
+  cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo", "foo.test.google.fr",
                            deadline, NULL);
   cq_verify(v_server);
 

test/core/end2end/tests/cancel_after_invoke.c

@@ -125,7 +125,7 @@ static void test_cancel_after_invoke(grpc_end2end_test_config config,
       grpc_byte_buffer_create(&request_payload_slice, 1);
 
   c = grpc_channel_create_call(f.client, f.client_cq, "/foo",
-                               "foo.test.google.com", deadline);
+                               "foo.test.google.fr", deadline);
   GPR_ASSERT(c);
 
   grpc_metadata_array_init(&initial_metadata_recv);

test/core/end2end/tests/cancel_after_invoke_legacy.c

@@ -111,7 +111,7 @@ static void test_cancel_after_invoke(grpc_end2end_test_config config,
   gpr_timespec deadline = five_seconds_time();
   cq_verifier *v_client = cq_verifier_create(f.client_cq);
 
-  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.com",
+  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.fr",
                                    deadline);
   GPR_ASSERT(c);
 

test/core/end2end/tests/cancel_before_invoke.c

@@ -123,7 +123,7 @@ static void test_cancel_before_invoke(grpc_end2end_test_config config, int test_
       grpc_byte_buffer_create(&request_payload_slice, 1);
 
   c = grpc_channel_create_call(f.client, f.client_cq, "/foo",
-                               "foo.test.google.com", deadline);
+                               "foo.test.google.fr", deadline);
   GPR_ASSERT(c);
 
   GPR_ASSERT(GRPC_CALL_OK == grpc_call_cancel(c));

test/core/end2end/tests/cancel_before_invoke_legacy.c

@@ -109,7 +109,7 @@ static void test_cancel_before_invoke(grpc_end2end_test_config config) {
   gpr_timespec deadline = five_seconds_time();
   cq_verifier *v_client = cq_verifier_create(f.client_cq);
 
-  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.com",
+  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.fr",
                                    deadline);
   GPR_ASSERT(c);
 

test/core/end2end/tests/cancel_in_a_vacuum.c

@@ -110,7 +110,7 @@ static void test_cancel_in_a_vacuum(grpc_end2end_test_config config,
   cq_verifier *v_client = cq_verifier_create(f.client_cq);
 
   c = grpc_channel_create_call(f.client, f.client_cq, "/foo",
-                               "foo.test.google.com", deadline);
+                               "foo.test.google.fr", deadline);
   GPR_ASSERT(c);
 
   GPR_ASSERT(GRPC_CALL_OK == mode.initiate_cancel(c));

test/core/end2end/tests/cancel_in_a_vacuum_legacy.c

@@ -109,7 +109,7 @@ static void test_cancel_in_a_vacuum(grpc_end2end_test_config config,
   gpr_timespec deadline = five_seconds_time();
   cq_verifier *v_client = cq_verifier_create(f.client_cq);
 
-  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.com",
+  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.fr",
                                    deadline);
   GPR_ASSERT(c);
 

test/core/end2end/tests/census_simple_request.c

@@ -106,7 +106,7 @@ static void test_body(grpc_end2end_test_fixture f) {
   cq_verifier *v_client = cq_verifier_create(f.client_cq);
   cq_verifier *v_server = cq_verifier_create(f.server_cq);
 
-  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.com",
+  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.fr",
                                    deadline);
   GPR_ASSERT(c);
   tag(1);
@@ -118,7 +118,7 @@ static void test_body(grpc_end2end_test_fixture f) {
   cq_verify(v_client);
 
   GPR_ASSERT(GRPC_CALL_OK == grpc_server_request_call_old(f.server, tag(100)));
-  cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo", "foo.test.google.com",
+  cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo", "foo.test.google.fr",
                            deadline, NULL);
   cq_verify(v_server);
 

test/core/end2end/tests/census_simple_request_legacy.c

@@ -106,7 +106,7 @@ static void test_body(grpc_end2end_test_fixture f) {
   cq_verifier *v_client = cq_verifier_create(f.client_cq);
   cq_verifier *v_server = cq_verifier_create(f.server_cq);
 
-  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.com",
+  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.fr",
                                    deadline);
   GPR_ASSERT(c);
   tag(1);
@@ -118,7 +118,7 @@ static void test_body(grpc_end2end_test_fixture f) {
   cq_verify(v_client);
 
   GPR_ASSERT(GRPC_CALL_OK == grpc_server_request_call_old(f.server, tag(100)));
-  cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo", "foo.test.google.com",
+  cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo", "foo.test.google.fr",
                            deadline, NULL);
   cq_verify(v_server);
 

test/core/end2end/tests/disappearing_server.c

@@ -97,7 +97,7 @@ static void do_request_and_shutdown_server(grpc_end2end_test_fixture *f,
   grpc_call *s;
   gpr_timespec deadline = five_seconds_time();
 
-  c = grpc_channel_create_call_old(f->client, "/foo", "foo.test.google.com",
+  c = grpc_channel_create_call_old(f->client, "/foo", "foo.test.google.fr",
                                    deadline);
   GPR_ASSERT(c);
 
@@ -110,7 +110,7 @@ static void do_request_and_shutdown_server(grpc_end2end_test_fixture *f,
 
   GPR_ASSERT(GRPC_CALL_OK == grpc_server_request_call_old(f->server, tag(100)));
   cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo",
-                           "foo.test.google.com", deadline, NULL);
+                           "foo.test.google.fr", deadline, NULL);
   cq_verify(v_server);
 
   GPR_ASSERT(GRPC_CALL_OK ==

test/core/end2end/tests/disappearing_server_legacy.c

@@ -97,7 +97,7 @@ static void do_request_and_shutdown_server(grpc_end2end_test_fixture *f,
   grpc_call *s;
   gpr_timespec deadline = five_seconds_time();
 
-  c = grpc_channel_create_call_old(f->client, "/foo", "foo.test.google.com",
+  c = grpc_channel_create_call_old(f->client, "/foo", "foo.test.google.fr",
                                    deadline);
   GPR_ASSERT(c);
 
@@ -109,7 +109,7 @@ static void do_request_and_shutdown_server(grpc_end2end_test_fixture *f,
   cq_verify(v_client);
 
   GPR_ASSERT(GRPC_CALL_OK == grpc_server_request_call_old(f->server, tag(100)));
-  cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo", "foo.test.google.com",
+  cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo", "foo.test.google.fr",
                            deadline, NULL);
   cq_verify(v_server);
 

test/core/end2end/tests/early_server_shutdown_finishes_inflight_calls.c

@@ -111,7 +111,7 @@ static void test_early_server_shutdown_finishes_inflight_calls(
   cq_verifier *v_client = cq_verifier_create(f.client_cq);
   cq_verifier *v_server = cq_verifier_create(f.server_cq);
 
-  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.com",
+  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.fr",
                                    deadline);
   GPR_ASSERT(c);
 
@@ -124,7 +124,7 @@ static void test_early_server_shutdown_finishes_inflight_calls(
 
   GPR_ASSERT(GRPC_CALL_OK == grpc_server_request_call_old(f.server, tag(100)));
   cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo",
-                           "foo.test.google.com", deadline, NULL);
+                           "foo.test.google.fr", deadline, NULL);
   cq_verify(v_server);
 
   GPR_ASSERT(GRPC_CALL_OK ==

test/core/end2end/tests/early_server_shutdown_finishes_inflight_calls_legacy.c

@@ -111,7 +111,7 @@ static void test_early_server_shutdown_finishes_inflight_calls(
   cq_verifier *v_client = cq_verifier_create(f.client_cq);
   cq_verifier *v_server = cq_verifier_create(f.server_cq);
 
-  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.com",
+  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.fr",
                                    deadline);
   GPR_ASSERT(c);
 
@@ -123,7 +123,7 @@ static void test_early_server_shutdown_finishes_inflight_calls(
   cq_verify(v_client);
 
   GPR_ASSERT(GRPC_CALL_OK == grpc_server_request_call_old(f.server, tag(100)));
-  cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo", "foo.test.google.com",
+  cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo", "foo.test.google.fr",
                            deadline, NULL);
   cq_verify(v_server);
 

test/core/end2end/tests/empty_batch.c

@@ -111,7 +111,7 @@ static void empty_batch_body(grpc_end2end_test_fixture f) {
   grpc_op *op = NULL;
 
   c = grpc_channel_create_call(f.client, f.client_cq, "/foo",
-                               "foo.test.google.com", deadline);
+                               "foo.test.google.fr", deadline);
   GPR_ASSERT(c);
 
   GPR_ASSERT(GRPC_CALL_OK == grpc_call_start_batch(c, op, 0, tag(1)));

test/core/end2end/tests/graceful_server_shutdown.c

@@ -110,7 +110,7 @@ static void test_early_server_shutdown_finishes_inflight_calls(
   cq_verifier *v_client = cq_verifier_create(f.client_cq);
   cq_verifier *v_server = cq_verifier_create(f.server_cq);
 
-  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.com",
+  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.fr",
                                    deadline);
   GPR_ASSERT(c);
 
@@ -123,7 +123,7 @@ static void test_early_server_shutdown_finishes_inflight_calls(
 
   GPR_ASSERT(GRPC_CALL_OK == grpc_server_request_call_old(f.server, tag(100)));
   cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo",
-                           "foo.test.google.com", deadline, NULL);
+                           "foo.test.google.fr", deadline, NULL);
   cq_verify(v_server);
 
   GPR_ASSERT(GRPC_CALL_OK ==

test/core/end2end/tests/graceful_server_shutdown_legacy.c

@@ -110,7 +110,7 @@ static void test_early_server_shutdown_finishes_inflight_calls(
   cq_verifier *v_client = cq_verifier_create(f.client_cq);
   cq_verifier *v_server = cq_verifier_create(f.server_cq);
 
-  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.com",
+  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.fr",
                                    deadline);
   GPR_ASSERT(c);
 
@@ -122,7 +122,7 @@ static void test_early_server_shutdown_finishes_inflight_calls(
   cq_verify(v_client);
 
   GPR_ASSERT(GRPC_CALL_OK == grpc_server_request_call_old(f.server, tag(100)));
-  cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo", "foo.test.google.com",
+  cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo", "foo.test.google.fr",
                            deadline, NULL);
   cq_verify(v_server);
 

test/core/end2end/tests/invoke_large_request.c

@@ -122,7 +122,7 @@ static void test_invoke_large_request(grpc_end2end_test_config config) {
 
   GPR_ASSERT(GRPC_CALL_OK == grpc_server_request_call_old(f.server, tag(100)));
 
-  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.com",
+  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.fr",
                                    deadline);
   GPR_ASSERT(c);
 
@@ -139,7 +139,7 @@ static void test_invoke_large_request(grpc_end2end_test_config config) {
   cq_verify_empty(v_client);
 
   cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo",
-                           "foo.test.google.com", deadline, NULL);
+                           "foo.test.google.fr", deadline, NULL);
   cq_verify(v_server);
 
   GPR_ASSERT(GRPC_CALL_OK ==

test/core/end2end/tests/invoke_large_request_legacy.c

@@ -122,7 +122,7 @@ static void test_invoke_large_request(grpc_end2end_test_config config) {
 
   GPR_ASSERT(GRPC_CALL_OK == grpc_server_request_call_old(f.server, tag(100)));
 
-  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.com",
+  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.fr",
                                    deadline);
   GPR_ASSERT(c);
 
@@ -138,7 +138,7 @@ static void test_invoke_large_request(grpc_end2end_test_config config) {
      request (as this request is very large) */
   cq_verify_empty(v_client);
 
-  cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo", "foo.test.google.com",
+  cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo", "foo.test.google.fr",
                            deadline, NULL);
   cq_verify(v_server);
 

test/core/end2end/tests/max_concurrent_streams.c

@@ -109,7 +109,7 @@ static void simple_request_body(grpc_end2end_test_fixture f) {
   cq_verifier *v_client = cq_verifier_create(f.client_cq);
   cq_verifier *v_server = cq_verifier_create(f.server_cq);
 
-  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.com",
+  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.fr",
                                    deadline);
   GPR_ASSERT(c);
 
@@ -122,7 +122,7 @@ static void simple_request_body(grpc_end2end_test_fixture f) {
 
   GPR_ASSERT(GRPC_CALL_OK == grpc_server_request_call_old(f.server, tag(100)));
   cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo",
-                           "foo.test.google.com", deadline, NULL);
+                           "foo.test.google.fr", deadline, NULL);
   cq_verify(v_server);
 
   GPR_ASSERT(GRPC_CALL_OK ==
@@ -182,10 +182,10 @@ static void test_max_concurrent_streams(grpc_end2end_test_config config) {
   /* start two requests - ensuring that the second is not accepted until
      the first completes */
   deadline = five_seconds_time();
-  c1 = grpc_channel_create_call_old(f.client, "/alpha", "foo.test.google.com",
+  c1 = grpc_channel_create_call_old(f.client, "/alpha", "foo.test.google.fr",
                                     deadline);
   GPR_ASSERT(c1);
-  c2 = grpc_channel_create_call_old(f.client, "/beta", "foo.test.google.com",
+  c2 = grpc_channel_create_call_old(f.client, "/beta", "foo.test.google.fr",
                                     deadline);
   GPR_ASSERT(c1);
 
@@ -211,7 +211,7 @@ static void test_max_concurrent_streams(grpc_end2end_test_config config) {
 
   cq_expect_server_rpc_new(v_server, &s1, tag(100),
                            live_call == 300 ? "/alpha" : "/beta",
-                           "foo.test.google.com", deadline, NULL);
+                           "foo.test.google.fr", deadline, NULL);
   cq_verify(v_server);
 
   GPR_ASSERT(GRPC_CALL_OK ==
@@ -237,7 +237,7 @@ static void test_max_concurrent_streams(grpc_end2end_test_config config) {
   GPR_ASSERT(GRPC_CALL_OK == grpc_server_request_call_old(f.server, tag(200)));
   cq_expect_server_rpc_new(v_server, &s2, tag(200),
                            live_call == 300 ? "/alpha" : "/beta",
-                           "foo.test.google.com", deadline, NULL);
+                           "foo.test.google.fr", deadline, NULL);
   cq_verify(v_server);
 
   GPR_ASSERT(GRPC_CALL_OK ==

test/core/end2end/tests/max_concurrent_streams_legacy.c

@@ -109,7 +109,7 @@ static void simple_request_body(grpc_end2end_test_fixture f) {
   cq_verifier *v_client = cq_verifier_create(f.client_cq);
   cq_verifier *v_server = cq_verifier_create(f.server_cq);
 
-  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.com",
+  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.fr",
                                    deadline);
   GPR_ASSERT(c);
 
@@ -121,7 +121,7 @@ static void simple_request_body(grpc_end2end_test_fixture f) {
   cq_verify(v_client);
 
   GPR_ASSERT(GRPC_CALL_OK == grpc_server_request_call_old(f.server, tag(100)));
-  cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo", "foo.test.google.com",
+  cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo", "foo.test.google.fr",
                            deadline, NULL);
   cq_verify(v_server);
 
@@ -182,10 +182,10 @@ static void test_max_concurrent_streams(grpc_end2end_test_config config) {
   /* start two requests - ensuring that the second is not accepted until
      the first completes */
   deadline = five_seconds_time();
-  c1 = grpc_channel_create_call_old(f.client, "/alpha", "foo.test.google.com",
+  c1 = grpc_channel_create_call_old(f.client, "/alpha", "foo.test.google.fr",
                                     deadline);
   GPR_ASSERT(c1);
-  c2 = grpc_channel_create_call_old(f.client, "/beta", "foo.test.google.com",
+  c2 = grpc_channel_create_call_old(f.client, "/beta", "foo.test.google.fr",
                                     deadline);
   GPR_ASSERT(c1);
 
@@ -211,7 +211,7 @@ static void test_max_concurrent_streams(grpc_end2end_test_config config) {
 
   cq_expect_server_rpc_new(v_server, &s1, tag(100),
                            live_call == 300 ? "/alpha" : "/beta",
-                           "foo.test.google.com", deadline, NULL);
+                           "foo.test.google.fr", deadline, NULL);
   cq_verify(v_server);
 
   GPR_ASSERT(GRPC_CALL_OK ==
@@ -237,7 +237,7 @@ static void test_max_concurrent_streams(grpc_end2end_test_config config) {
   GPR_ASSERT(GRPC_CALL_OK == grpc_server_request_call_old(f.server, tag(200)));
   cq_expect_server_rpc_new(v_server, &s2, tag(200),
                            live_call == 300 ? "/alpha" : "/beta",
-                           "foo.test.google.com", deadline, NULL);
+                           "foo.test.google.fr", deadline, NULL);
   cq_verify(v_server);
 
   GPR_ASSERT(GRPC_CALL_OK ==

test/core/end2end/tests/ping_pong_streaming.c

@@ -118,7 +118,7 @@ static void test_pingpong_streaming(grpc_end2end_test_config config,
   cq_verifier *v_server = cq_verifier_create(f.server_cq);
 
   gpr_log(GPR_INFO, "testing with %d message pairs.", messages);
-  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.com",
+  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.fr",
                                    deadline);
   GPR_ASSERT(c);
 
@@ -128,7 +128,7 @@ static void test_pingpong_streaming(grpc_end2end_test_config config,
   GPR_ASSERT(GRPC_CALL_OK == grpc_server_request_call_old(f.server, tag(100)));
 
   cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo",
-                           "foo.test.google.com", deadline, NULL);
+                           "foo.test.google.fr", deadline, NULL);
   cq_verify(v_server);
   GPR_ASSERT(GRPC_CALL_OK ==
              grpc_call_server_accept_old(s, f.server_cq, tag(102)));

test/core/end2end/tests/ping_pong_streaming_legacy.c

@@ -118,7 +118,7 @@ static void test_pingpong_streaming(grpc_end2end_test_config config,
   cq_verifier *v_server = cq_verifier_create(f.server_cq);
 
   gpr_log(GPR_INFO, "testing with %d message pairs.", messages);
-  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.com",
+  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.fr",
                                    deadline);
   GPR_ASSERT(c);
 
@@ -127,7 +127,7 @@ static void test_pingpong_streaming(grpc_end2end_test_config config,
 
   GPR_ASSERT(GRPC_CALL_OK == grpc_server_request_call_old(f.server, tag(100)));
 
-  cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo", "foo.test.google.com",
+  cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo", "foo.test.google.fr",
                            deadline, NULL);
   cq_verify(v_server);
   GPR_ASSERT(GRPC_CALL_OK ==

test/core/end2end/tests/request_response_with_binary_metadata_and_payload.c

@@ -140,7 +140,7 @@ static void test_request_response_with_metadata_and_payload(
   int was_cancelled = 2;
 
   c = grpc_channel_create_call(f.client, f.client_cq, "/foo",
-                               "foo.test.google.com", deadline);
+                               "foo.test.google.fr", deadline);
   GPR_ASSERT(c);
 
   grpc_metadata_array_init(&initial_metadata_recv);
@@ -210,7 +210,7 @@ static void test_request_response_with_metadata_and_payload(
   GPR_ASSERT(status == GRPC_STATUS_UNIMPLEMENTED);
   GPR_ASSERT(0 == strcmp(details, "xyz"));
   GPR_ASSERT(0 == strcmp(call_details.method, "/foo"));
-  GPR_ASSERT(0 == strcmp(call_details.host, "foo.test.google.com"));
+  GPR_ASSERT(0 == strcmp(call_details.host, "foo.test.google.fr"));
   GPR_ASSERT(was_cancelled == 0);
   GPR_ASSERT(byte_buffer_eq_string(request_payload_recv, "hello world"));
   GPR_ASSERT(byte_buffer_eq_string(response_payload_recv, "hello you"));

test/core/end2end/tests/request_response_with_binary_metadata_and_payload_legacy.c

@@ -137,7 +137,7 @@ static void test_request_response_with_metadata_and_payload(
   gpr_slice_unref(request_payload_slice);
   gpr_slice_unref(response_payload_slice);
 
-  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.com",
+  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.fr",
                                    deadline);
   GPR_ASSERT(c);
 
@@ -157,7 +157,7 @@ static void test_request_response_with_metadata_and_payload(
   cq_verify(v_client);
 
   cq_expect_server_rpc_new(
-      v_server, &s, tag(100), "/foo", "foo.test.google.com", deadline, "key1-bin",
+      v_server, &s, tag(100), "/foo", "foo.test.google.fr", deadline, "key1-bin",
       "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc", "key2-bin",
       "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d", NULL);
   cq_verify(v_server);

test/core/end2end/tests/request_response_with_metadata_and_payload.c

@@ -133,7 +133,7 @@ static void test_request_response_with_metadata_and_payload(
   int was_cancelled = 2;
 
   c = grpc_channel_create_call(f.client, f.client_cq, "/foo",
-                               "foo.test.google.com", deadline);
+                               "foo.test.google.fr", deadline);
   GPR_ASSERT(c);
 
   grpc_metadata_array_init(&initial_metadata_recv);
@@ -203,7 +203,7 @@ static void test_request_response_with_metadata_and_payload(
   GPR_ASSERT(status == GRPC_STATUS_UNIMPLEMENTED);
   GPR_ASSERT(0 == strcmp(details, "xyz"));
   GPR_ASSERT(0 == strcmp(call_details.method, "/foo"));
-  GPR_ASSERT(0 == strcmp(call_details.host, "foo.test.google.com"));
+  GPR_ASSERT(0 == strcmp(call_details.host, "foo.test.google.fr"));
   GPR_ASSERT(was_cancelled == 0);
   GPR_ASSERT(byte_buffer_eq_string(request_payload_recv, "hello world"));
   GPR_ASSERT(byte_buffer_eq_string(response_payload_recv, "hello you"));

test/core/end2end/tests/request_response_with_metadata_and_payload_legacy.c

@@ -128,7 +128,7 @@ static void test_request_response_with_metadata_and_payload(
   gpr_slice_unref(request_payload_slice);
   gpr_slice_unref(response_payload_slice);
 
-  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.com",
+  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.fr",
                                    deadline);
   GPR_ASSERT(c);
 
@@ -147,7 +147,7 @@ static void test_request_response_with_metadata_and_payload(
   cq_expect_write_accepted(v_client, tag(4), GRPC_OP_OK);
   cq_verify(v_client);
 
-  cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo", "foo.test.google.com",
+  cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo", "foo.test.google.fr",
                            deadline, "key1", "val1", "key2", "val2", NULL);
   cq_verify(v_server);
 

test/core/end2end/tests/request_response_with_payload.c

@@ -128,7 +128,7 @@ static void request_response_with_payload(grpc_end2end_test_fixture f) {
   int was_cancelled = 2;
 
   c = grpc_channel_create_call(f.client, f.client_cq, "/foo",
-                               "foo.test.google.com", deadline);
+                               "foo.test.google.fr", deadline);
   GPR_ASSERT(c);
 
   grpc_metadata_array_init(&initial_metadata_recv);
@@ -196,7 +196,7 @@ static void request_response_with_payload(grpc_end2end_test_fixture f) {
   GPR_ASSERT(status == GRPC_STATUS_UNIMPLEMENTED);
   GPR_ASSERT(0 == strcmp(details, "xyz"));
   GPR_ASSERT(0 == strcmp(call_details.method, "/foo"));
-  GPR_ASSERT(0 == strcmp(call_details.host, "foo.test.google.com"));
+  GPR_ASSERT(0 == strcmp(call_details.host, "foo.test.google.fr"));
   GPR_ASSERT(was_cancelled == 0);
   GPR_ASSERT(byte_buffer_eq_string(request_payload_recv, "hello world"));
   GPR_ASSERT(byte_buffer_eq_string(response_payload_recv, "hello you"));

test/core/end2end/tests/request_response_with_payload_legacy.c

@@ -121,7 +121,7 @@ static void request_response_with_payload(grpc_end2end_test_fixture f) {
 
   GPR_ASSERT(GRPC_CALL_OK == grpc_server_request_call_old(f.server, tag(100)));
 
-  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.com",
+  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.fr",
                                    deadline);
   GPR_ASSERT(c);
 
@@ -136,7 +136,7 @@ static void request_response_with_payload(grpc_end2end_test_fixture f) {
   cq_expect_write_accepted(v_client, tag(4), GRPC_OP_OK);
   cq_verify(v_client);
 
-  cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo", "foo.test.google.com",
+  cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo", "foo.test.google.fr",
                            deadline, NULL);
   cq_verify(v_server);
 

test/core/end2end/tests/request_response_with_trailing_metadata_and_payload.c

@@ -134,7 +134,7 @@ static void test_request_response_with_metadata_and_payload(
   int was_cancelled = 2;
 
   c = grpc_channel_create_call(f.client, f.client_cq, "/foo",
-                               "foo.test.google.com", deadline);
+                               "foo.test.google.fr", deadline);
   GPR_ASSERT(c);
 
   grpc_metadata_array_init(&initial_metadata_recv);
@@ -205,7 +205,7 @@ static void test_request_response_with_metadata_and_payload(
   GPR_ASSERT(status == GRPC_STATUS_UNIMPLEMENTED);
   GPR_ASSERT(0 == strcmp(details, "xyz"));
   GPR_ASSERT(0 == strcmp(call_details.method, "/foo"));
-  GPR_ASSERT(0 == strcmp(call_details.host, "foo.test.google.com"));
+  GPR_ASSERT(0 == strcmp(call_details.host, "foo.test.google.fr"));
   GPR_ASSERT(was_cancelled == 1);
   GPR_ASSERT(byte_buffer_eq_string(request_payload_recv, "hello world"));
   GPR_ASSERT(byte_buffer_eq_string(response_payload_recv, "hello you"));

test/core/end2end/tests/request_response_with_trailing_metadata_and_payload_legacy.c

@@ -130,7 +130,7 @@ static void test_request_response_with_metadata_and_payload(
   gpr_slice_unref(request_payload_slice);
   gpr_slice_unref(response_payload_slice);
 
-  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.com",
+  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.fr",
                                    deadline);
   GPR_ASSERT(c);
 
@@ -149,7 +149,7 @@ static void test_request_response_with_metadata_and_payload(
   cq_expect_write_accepted(v_client, tag(4), GRPC_OP_OK);
   cq_verify(v_client);
 
-  cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo", "foo.test.google.com",
+  cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo", "foo.test.google.fr",
                            deadline, "key1", "val1", "key2", "val2", NULL);
   cq_verify(v_server);
 

test/core/end2end/tests/request_with_large_metadata.c

@@ -128,7 +128,7 @@ static void test_request_with_large_metadata(grpc_end2end_test_config config) {
   const int large_size = 64 * 1024;
 
   c = grpc_channel_create_call(f.client, f.client_cq, "/foo",
-                               "foo.test.google.com", deadline);
+                               "foo.test.google.fr", deadline);
   GPR_ASSERT(c);
 
   meta.key = "key";
@@ -197,7 +197,7 @@ static void test_request_with_large_metadata(grpc_end2end_test_config config) {
   GPR_ASSERT(status == GRPC_STATUS_UNIMPLEMENTED);
   GPR_ASSERT(0 == strcmp(details, "xyz"));
   GPR_ASSERT(0 == strcmp(call_details.method, "/foo"));
-  GPR_ASSERT(0 == strcmp(call_details.host, "foo.test.google.com"));
+  GPR_ASSERT(0 == strcmp(call_details.host, "foo.test.google.fr"));
   GPR_ASSERT(was_cancelled == 0);
   GPR_ASSERT(byte_buffer_eq_string(request_payload_recv, "hello world"));
   GPR_ASSERT(contains_metadata(&request_metadata_recv, "key", meta.value));

test/core/end2end/tests/request_with_large_metadata_legacy.c

@@ -121,7 +121,7 @@ static void test_request_with_large_metadata(grpc_end2end_test_config config) {
   ((char*)meta.value)[large_size] = 0;
   meta.value_length = large_size;
 
-  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.com",
+  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.fr",
                                    deadline);
   GPR_ASSERT(c);
 
@@ -131,7 +131,7 @@ static void test_request_with_large_metadata(grpc_end2end_test_config config) {
   GPR_ASSERT(GRPC_CALL_OK ==
              grpc_call_invoke_old(c, f.client_cq, tag(2), tag(3), 0));
 
-  cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo", "foo.test.google.com",
+  cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo", "foo.test.google.fr",
                            deadline, "key", meta.value, NULL);
   cq_verify(v_server);
 

test/core/end2end/tests/request_with_payload.c

@@ -126,7 +126,7 @@ static void test_invoke_request_with_payload(grpc_end2end_test_config config) {
   int was_cancelled = 2;
 
   c = grpc_channel_create_call(f.client, f.client_cq, "/foo",
-                               "foo.test.google.com", deadline);
+                               "foo.test.google.fr", deadline);
   GPR_ASSERT(c);
 
   grpc_metadata_array_init(&initial_metadata_recv);
@@ -188,7 +188,7 @@ static void test_invoke_request_with_payload(grpc_end2end_test_config config) {
   GPR_ASSERT(status == GRPC_STATUS_UNIMPLEMENTED);
   GPR_ASSERT(0 == strcmp(details, "xyz"));
   GPR_ASSERT(0 == strcmp(call_details.method, "/foo"));
-  GPR_ASSERT(0 == strcmp(call_details.host, "foo.test.google.com"));
+  GPR_ASSERT(0 == strcmp(call_details.host, "foo.test.google.fr"));
   GPR_ASSERT(was_cancelled == 0);
   GPR_ASSERT(byte_buffer_eq_string(request_payload_recv, "hello world"));
 

test/core/end2end/tests/request_with_payload_legacy.c

@@ -116,7 +116,7 @@ static void test_invoke_request_with_payload(grpc_end2end_test_config config) {
   /* byte buffer holds the slice, we can unref it already */
   gpr_slice_unref(payload_slice);
 
-  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.com",
+  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.fr",
                                    deadline);
   GPR_ASSERT(c);
 
@@ -132,7 +132,7 @@ static void test_invoke_request_with_payload(grpc_end2end_test_config config) {
   cq_expect_write_accepted(v_client, tag(4), GRPC_OP_OK);
   cq_verify(v_client);
 
-  cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo", "foo.test.google.com",
+  cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo", "foo.test.google.fr",
                            deadline, NULL);
   cq_verify(v_server);
 

test/core/end2end/tests/simple_delayed_request.c

@@ -114,7 +114,7 @@ static void simple_delayed_request_body(grpc_end2end_test_config config,
   config.init_client(f, client_args);
 
   c = grpc_channel_create_call(f->client, f->client_cq, "/foo",
-                               "foo.test.google.com", deadline);
+                               "foo.test.google.fr", deadline);
   GPR_ASSERT(c);
 
   grpc_metadata_array_init(&initial_metadata_recv);
@@ -172,7 +172,7 @@ static void simple_delayed_request_body(grpc_end2end_test_config config,
   GPR_ASSERT(status == GRPC_STATUS_UNIMPLEMENTED);
   GPR_ASSERT(0 == strcmp(details, "xyz"));
   GPR_ASSERT(0 == strcmp(call_details.method, "/foo"));
-  GPR_ASSERT(0 == strcmp(call_details.host, "foo.test.google.com"));
+  GPR_ASSERT(0 == strcmp(call_details.host, "foo.test.google.fr"));
   GPR_ASSERT(was_cancelled == 0);
 
   gpr_free(details);

test/core/end2end/tests/simple_delayed_request_legacy.c

@@ -103,7 +103,7 @@ static void simple_delayed_request_body(grpc_end2end_test_config config,
 
   config.init_client(f, client_args);
 
-  c = grpc_channel_create_call_old(f->client, "/foo", "foo.test.google.com",
+  c = grpc_channel_create_call_old(f->client, "/foo", "foo.test.google.fr",
                                    deadline);
   GPR_ASSERT(c);
 
@@ -119,7 +119,7 @@ static void simple_delayed_request_body(grpc_end2end_test_config config,
   cq_verify(v_client);
 
   GPR_ASSERT(GRPC_CALL_OK == grpc_server_request_call_old(f->server, tag(100)));
-  cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo", "foo.test.google.com",
+  cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo", "foo.test.google.fr",
                            deadline, NULL);
   cq_verify(v_server);
 

test/core/end2end/tests/simple_request.c

@@ -122,7 +122,7 @@ static void simple_request_body(grpc_end2end_test_fixture f) {
   int was_cancelled = 2;
 
   c = grpc_channel_create_call(f.client, f.client_cq, "/foo",
-                               "foo.test.google.com", deadline);
+                               "foo.test.google.fr", deadline);
   GPR_ASSERT(c);
 
   grpc_metadata_array_init(&initial_metadata_recv);
@@ -178,7 +178,7 @@ static void simple_request_body(grpc_end2end_test_fixture f) {
   GPR_ASSERT(status == GRPC_STATUS_UNIMPLEMENTED);
   GPR_ASSERT(0 == strcmp(details, "xyz"));
   GPR_ASSERT(0 == strcmp(call_details.method, "/foo"));
-  GPR_ASSERT(0 == strcmp(call_details.host, "foo.test.google.com"));
+  GPR_ASSERT(0 == strcmp(call_details.host, "foo.test.google.fr"));
   GPR_ASSERT(was_cancelled == 0);
 
   gpr_free(details);

test/core/end2end/tests/simple_request_legacy.c

@@ -110,7 +110,7 @@ static void simple_request_body(grpc_end2end_test_fixture f) {
   cq_verifier *v_client = cq_verifier_create(f.client_cq);
   cq_verifier *v_server = cq_verifier_create(f.server_cq);
 
-  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.com",
+  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.fr",
                                    deadline);
   GPR_ASSERT(c);
 
@@ -122,7 +122,7 @@ static void simple_request_body(grpc_end2end_test_fixture f) {
   cq_verify(v_client);
 
   GPR_ASSERT(GRPC_CALL_OK == grpc_server_request_call_old(f.server, tag(100)));
-  cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo", "foo.test.google.com",
+  cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo", "foo.test.google.fr",
                            deadline, NULL);
   cq_verify(v_server);
 
@@ -157,7 +157,7 @@ static void simple_request_body2(grpc_end2end_test_fixture f) {
   cq_verifier *v_client = cq_verifier_create(f.client_cq);
   cq_verifier *v_server = cq_verifier_create(f.server_cq);
 
-  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.com",
+  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.fr",
                                    deadline);
   GPR_ASSERT(c);
 
@@ -169,7 +169,7 @@ static void simple_request_body2(grpc_end2end_test_fixture f) {
   cq_verify(v_client);
 
   GPR_ASSERT(GRPC_CALL_OK == grpc_server_request_call_old(f.server, tag(100)));
-  cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo", "foo.test.google.com",
+  cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo", "foo.test.google.fr",
                            deadline, NULL);
   cq_verify(v_server);
 

test/core/end2end/tests/thread_stress.c

@@ -109,7 +109,7 @@ static void start_request(void) {
   gpr_slice slice = gpr_slice_malloc(100);
   grpc_byte_buffer *buf;
   grpc_call *call = grpc_channel_create_call_old(
-      g_fixture.client, "/Foo", "foo.test.google.com", g_test_end_time);
+      g_fixture.client, "/Foo", "foo.test.google.fr", g_test_end_time);
 
   memset(GPR_SLICE_START_PTR(slice), 1, GPR_SLICE_LENGTH(slice));
   buf = grpc_byte_buffer_create(&slice, 1);

test/core/end2end/tests/thread_stress_legacy.c

@@ -109,7 +109,7 @@ static void start_request(void) {
   gpr_slice slice = gpr_slice_malloc(100);
   grpc_byte_buffer *buf;
   grpc_call *call = grpc_channel_create_call_old(
-      g_fixture.client, "/Foo", "foo.test.google.com", g_test_end_time);
+      g_fixture.client, "/Foo", "foo.test.google.fr", g_test_end_time);
 
   memset(GPR_SLICE_START_PTR(slice), 1, GPR_SLICE_LENGTH(slice));
   buf = grpc_byte_buffer_create(&slice, 1);

test/core/end2end/tests/writes_done_hangs_with_pending_read.c

@@ -124,7 +124,7 @@ static void test_writes_done_hangs_with_pending_read(
   gpr_slice_unref(request_payload_slice);
   gpr_slice_unref(response_payload_slice);
 
-  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.com",
+  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.fr",
                                    deadline);
   GPR_ASSERT(c);
 
@@ -141,7 +141,7 @@ static void test_writes_done_hangs_with_pending_read(
 
   GPR_ASSERT(GRPC_CALL_OK == grpc_server_request_call_old(f.server, tag(100)));
   cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo",
-                           "foo.test.google.com", deadline, NULL);
+                           "foo.test.google.fr", deadline, NULL);
   cq_verify(v_server);
 
   GPR_ASSERT(GRPC_CALL_OK ==

test/core/end2end/tests/writes_done_hangs_with_pending_read_legacy.c

@@ -124,7 +124,7 @@ static void test_writes_done_hangs_with_pending_read(
   gpr_slice_unref(request_payload_slice);
   gpr_slice_unref(response_payload_slice);
 
-  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.com",
+  c = grpc_channel_create_call_old(f.client, "/foo", "foo.test.google.fr",
                                    deadline);
   GPR_ASSERT(c);
 
@@ -141,7 +141,7 @@ static void test_writes_done_hangs_with_pending_read(
 
   GPR_ASSERT(GRPC_CALL_OK == grpc_server_request_call_old(f.server, tag(100)));
   cq_expect_server_rpc_new(v_server, &s, tag(100), "/foo",
-                           "foo.test.google.com", deadline, NULL);
+                           "foo.test.google.fr", deadline, NULL);
   cq_verify(v_server);
 
   GPR_ASSERT(GRPC_CALL_OK ==

test/core/tsi/transport_security_test.c

@@ -0,0 +1,303 @@
+/*
+ *
+ * Copyright 2015, Google Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ *     * Neither the name of Google Inc. nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include "src/core/tsi/transport_security.h"
+
+#include <string.h>
+
+#include <grpc/support/alloc.h>
+#include <grpc/support/log.h>
+#include <grpc/support/useful.h>
+
+#include "src/core/support/string.h"
+#include "src/core/tsi/ssl_transport_security.h"
+#include "test/core/util/test_config.h"
+
+typedef struct {
+  /* 1 if success, 0 if failure. */
+  int expected;
+
+  /* Host name to match. */
+  const char *host_name;
+
+  /* Common name (CN). */
+  const char *common_name;
+
+  /* Comma separated list of certificate names to match against. Any occurrence
+     of '#' will be replaced with a null character before processing. */
+  const char *dns_names;
+
+} cert_name_test_entry;
+
+/* Largely inspired from:
+   chromium/src/net/cert/x509_certificate_unittest.cc.
+   TODO(jboeuf) uncomment test cases as we fix tsi_ssl_peer_matches_name. */
+const cert_name_test_entry cert_name_test_entries[] = {
+    {1, "foo.com", "foo.com", NULL},
+    {1, "f", "f", NULL},
+    {0, "h", "i", NULL},
+    {1, "bar.foo.com", "*.foo.com", NULL},
+    {1, "www.test.fr", "common.name",
+     "*.test.com,*.test.co.uk,*.test.de,*.test.fr"},
+    /*
+    {1, "wwW.tESt.fr", "common.name", ",*.*,*.test.de,*.test.FR,www"},
+    */
+    {0, "f.uk", ".uk", NULL},
+    {0, "w.bar.foo.com", "?.bar.foo.com", NULL},
+    {0, "www.foo.com", "(www|ftp).foo.com", NULL},
+    {0, "www.foo.com", "www.foo.com#", NULL}, /* # = null char. */
+    {0, "www.foo.com", "", "www.foo.com#*.foo.com,#,#"},
+    {0, "www.house.example", "ww.house.example", NULL},
+    {0, "test.org", "", "www.test.org,*.test.org,*.org"},
+    {0, "w.bar.foo.com", "w*.bar.foo.com", NULL},
+    {0, "www.bar.foo.com", "ww*ww.bar.foo.com", NULL},
+    {0, "wwww.bar.foo.com", "ww*ww.bar.foo.com", NULL},
+    {0, "wwww.bar.foo.com", "w*w.bar.foo.com", NULL},
+    {0, "wwww.bar.foo.com", "w*w.bar.foo.c0m", NULL},
+    {0, "WALLY.bar.foo.com", "wa*.bar.foo.com", NULL},
+    {0, "wally.bar.foo.com", "*Ly.bar.foo.com", NULL},
+    /*
+    {1, "ww%57.foo.com", "", "www.foo.com"},
+    {1, "www&.foo.com", "www%26.foo.com", NULL},
+    */
+
+    /* Common name must not be used if subject alternative name was provided. */
+    {0, "www.test.co.jp", "www.test.co.jp",
+     "*.test.de,*.jp,www.test.co.uk,www.*.co.jp"},
+    {0, "www.bar.foo.com", "www.bar.foo.com",
+     "*.foo.com,*.*.foo.com,*.*.bar.foo.com,*..bar.foo.com,"},
+
+    /* IDN tests */
+    {1, "xn--poema-9qae5a.com.br", "xn--poema-9qae5a.com.br", NULL},
+    {1, "www.xn--poema-9qae5a.com.br", "*.xn--poema-9qae5a.com.br", NULL},
+    {0, "xn--poema-9qae5a.com.br", "",
+     "*.xn--poema-9qae5a.com.br,"
+     "xn--poema-*.com.br,"
+     "xn--*-9qae5a.com.br,"
+     "*--poema-9qae5a.com.br"},
+
+    /* The following are adapted from the  examples quoted from
+       http://tools.ietf.org/html/rfc6125#section-6.4.3
+        (e.g., *.example.com would match foo.example.com but
+         not bar.foo.example.com or example.com). */
+    {1, "foo.example.com", "*.example.com", NULL},
+    {0, "bar.foo.example.com", "*.example.com", NULL},
+    {0, "example.com", "*.example.com", NULL},
+
+    /* Partial wildcards are disallowed, though RFC 2818 rules allow them.
+       That is, forms such as baz*.example.net, *baz.example.net, and
+       b*z.example.net should NOT match domains. Instead, the wildcard must
+       always be the left-most label, and only a single label. */
+    {0, "baz1.example.net", "baz*.example.net", NULL},
+    {0, "foobaz.example.net", "*baz.example.net", NULL},
+    {0, "buzz.example.net", "b*z.example.net", NULL},
+    {0, "www.test.example.net", "www.*.example.net", NULL},
+
+    /* Wildcards should not be valid for public registry controlled domains,
+       and unknown/unrecognized domains, at least three domain components must
+       be present. */
+    {1, "www.test.example", "*.test.example", NULL},
+    {1, "test.example.co.uk", "*.example.co.uk", NULL},
+    {0, "test.example", "*.example", NULL},
+    /*
+    {0, "example.co.uk", "*.co.uk", NULL},
+    */
+    {0, "foo.com", "*.com", NULL},
+    {0, "foo.us", "*.us", NULL},
+    {0, "foo", "*", NULL},
+
+    /* IDN variants of wildcards and registry controlled domains. */
+    {1, "www.xn--poema-9qae5a.com.br", "*.xn--poema-9qae5a.com.br", NULL},
+    {1, "test.example.xn--mgbaam7a8h", "*.example.xn--mgbaam7a8h", NULL},
+    /*
+    {0, "xn--poema-9qae5a.com.br", "*.com.br", NULL},
+    */
+    {0, "example.xn--mgbaam7a8h", "*.xn--mgbaam7a8h", NULL},
+
+    /* Wildcards should be permissible for 'private' registry controlled
+       domains. */
+    {1, "www.appspot.com", "*.appspot.com", NULL},
+    {1, "foo.s3.amazonaws.com", "*.s3.amazonaws.com", NULL},
+
+    /* Multiple wildcards are not valid. */
+    {0, "foo.example.com", "*.*.com", NULL},
+    {0, "foo.bar.example.com", "*.bar.*.com", NULL},
+
+    /* Absolute vs relative DNS name tests. Although not explicitly specified
+       in RFC 6125, absolute reference names (those ending in a .) should
+       match either absolute or relative presented names. */
+    {1, "foo.com", "foo.com.", NULL},
+    {1, "foo.com.", "foo.com", NULL},
+    {1, "foo.com.", "foo.com.", NULL},
+    {1, "f", "f.", NULL},
+    {1, "f.", "f", NULL},
+    {1, "f.", "f.", NULL},
+    {1, "www-3.bar.foo.com", "*.bar.foo.com.", NULL},
+    {1, "www-3.bar.foo.com.", "*.bar.foo.com", NULL},
+    {1, "www-3.bar.foo.com.", "*.bar.foo.com.", NULL},
+    {0, ".", ".", NULL},
+    {0, "example.com", "*.com.", NULL},
+    {0, "example.com.", "*.com", NULL},
+    {0, "example.com.", "*.com.", NULL},
+    {0, "foo.", "*.", NULL},
+    {0, "foo", "*.", NULL},
+    /*
+    {0, "foo.co.uk", "*.co.uk.", NULL},
+    {0, "foo.co.uk.", "*.co.uk.", NULL},
+    */
+
+    /* An empty CN is OK. */
+    {1, "test.foo.com", "", "test.foo.com"},
+
+    /* An IP should not be used for the CN. */
+    {0, "173.194.195.139", "173.194.195.139", NULL},
+};
+
+typedef struct name_list {
+  const char *name;
+  struct name_list *next;
+} name_list;
+
+typedef struct {
+   size_t name_count;
+   char *buffer;
+   name_list *names;
+} parsed_dns_names;
+
+name_list *name_list_add(const char *n) {
+  name_list *result = gpr_malloc(sizeof(name_list));
+  result->name = n;
+  result->next = NULL;
+  return result;
+}
+
+static parsed_dns_names parse_dns_names(const char *dns_names_str) {
+  parsed_dns_names result;
+  name_list *current_nl;
+  size_t i;
+  memset(&result, 0, sizeof(parsed_dns_names));
+  if (dns_names_str == 0) return result;
+  result.name_count = 1;
+  result.buffer = gpr_strdup(dns_names_str);
+  result.names = name_list_add(result.buffer);
+  current_nl = result.names;
+  for (i = 0; i < strlen(dns_names_str); i++) {
+    if (dns_names_str[i] == ',') {
+      result.buffer[i] = '\0';
+      result.name_count++;
+      i++;
+      current_nl->next = name_list_add(result.buffer + i);
+      current_nl = current_nl->next;
+    }
+  }
+  return result;
+}
+
+static void destruct_parsed_dns_names(parsed_dns_names *pdn) {
+  name_list *nl = pdn->names;
+  if (pdn->buffer != NULL) gpr_free(pdn->buffer);
+  while (nl != NULL) {
+    name_list *to_be_free = nl;
+    nl = nl->next;
+    gpr_free(to_be_free);
+  }
+}
+
+static char *processed_dns_name(const char *dns_name) {
+  char *result = gpr_strdup(dns_name);
+  size_t i;
+  for (i = 0; i < strlen(result); i++) {
+    if (result[i] == '#') {
+      result[i] = '\0';
+    }
+  }
+  return result;
+}
+
+static tsi_peer peer_from_cert_name_test_entry(
+    const cert_name_test_entry *entry) {
+  size_t i;
+  tsi_peer peer;
+  name_list *nl;
+  parsed_dns_names dns_entries = parse_dns_names(entry->dns_names);
+  nl = dns_entries.names;
+  GPR_ASSERT(tsi_construct_peer(2, &peer) == TSI_OK);
+  GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
+                 TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, entry->common_name,
+                 &peer.properties[0]) == TSI_OK);
+  GPR_ASSERT(tsi_construct_list_peer_property(
+                 TSI_X509_SUBJECT_ALTERNATIVE_NAMES_PEER_PROPERTY,
+                 dns_entries.name_count, &peer.properties[1]) == TSI_OK);
+  i = 0;
+  while (nl != NULL) {
+    char *processed = processed_dns_name(nl->name);
+    GPR_ASSERT(tsi_construct_string_peer_property(
+                   NULL, processed, strlen(nl->name),
+                   &peer.properties[1].value.list.children[i++]) == TSI_OK);
+    nl = nl->next;
+    gpr_free(processed);
+  }
+  destruct_parsed_dns_names(&dns_entries);
+  return peer;
+}
+
+char *cert_name_test_entry_to_string(const cert_name_test_entry *entry) {
+  char *s;
+  gpr_asprintf(
+      &s, "{ success = %s, host_name = %s, common_name = %s, dns_names = %s}",
+      entry->expected ? "true" : "false", entry->host_name, entry->common_name,
+      entry->dns_names != NULL ? entry->dns_names : "");
+  return s;
+}
+
+static void test_peer_matches_name(void) {
+  size_t i = 0;
+  for (i = 0; i < GPR_ARRAY_SIZE(cert_name_test_entries); i++) {
+    const cert_name_test_entry *entry = &cert_name_test_entries[i];
+    tsi_peer peer = peer_from_cert_name_test_entry(entry);
+    int result = tsi_ssl_peer_matches_name(&peer, entry->host_name);
+    if (result != entry->expected) {
+      char *entry_str = cert_name_test_entry_to_string(entry);
+      gpr_log(GPR_ERROR, "%s", entry_str);
+      gpr_free(entry_str);
+      GPR_ASSERT(0); /* Unexpected result. */
+    }
+    tsi_peer_destruct(&peer);
+  }
+}
+
+int main(int argc, char **argv) {
+  grpc_test_init(argc, argv);
+  test_peer_matches_name();
+  return 0;
+}

test/cpp/interop/client.cc

@@ -57,7 +57,7 @@ DEFINE_bool(enable_ssl, false, "Whether to use ssl/tls.");
 DEFINE_bool(use_prod_roots, false, "True to use SSL roots for google");
 DEFINE_int32(server_port, 0, "Server port.");
 DEFINE_string(server_host, "127.0.0.1", "Server host to connect to");
-DEFINE_string(server_host_override, "foo.test.google.com",
+DEFINE_string(server_host_override, "foo.test.google.fr",
               "Override the server host which is sent in HTTP header");
 DEFINE_string(test_case, "large_unary",
               "Configure different test cases. Valid options are: "

test/cpp/util/create_test_channel.cc

@@ -93,7 +93,7 @@ std::shared_ptr<ChannelInterface> CreateTestChannel(
 // Shortcut for end2end and interop tests.
 std::shared_ptr<ChannelInterface> CreateTestChannel(const grpc::string& server,
                                                     bool enable_ssl) {
-  return CreateTestChannel(server, "foo.test.google.com", enable_ssl, false);
+  return CreateTestChannel(server, "foo.test.google.fr", enable_ssl, false);
 }
 
 }  // namespace grpc

tools/run_tests/tests.json

@@ -265,6 +265,10 @@
     "language": "c", 
     "name": "transport_metadata_test"
   }, 
+  {
+    "language": "c", 
+    "name": "transport_security_test"
+  }, 
   {
     "language": "c++", 
     "name": "async_end2end_test"

vsprojects/vs2013/Grpc.mak

@@ -53,10 +53,10 @@ grpc_test_util:
 $(OUT_DIR):
 	mkdir $(OUT_DIR)
 
-buildtests: alarm_heap_test.exe alarm_list_test.exe alarm_test.exe alpn_test.exe bin_encoder_test.exe census_hash_table_test.exe census_statistics_multiple_writers_circular_buffer_test.exe census_statistics_multiple_writers_test.exe census_statistics_performance_test.exe census_statistics_quick_test.exe census_statistics_small_log_test.exe census_stats_store_test.exe census_stub_test.exe census_trace_store_test.exe census_window_stats_test.exe chttp2_status_conversion_test.exe chttp2_stream_encoder_test.exe chttp2_stream_map_test.exe chttp2_transport_end2end_test.exe dualstack_socket_test.exe echo_test.exe fd_posix_test.exe fling_stream_test.exe fling_test.exe gpr_cancellable_test.exe gpr_cmdline_test.exe gpr_env_test.exe gpr_file_test.exe gpr_histogram_test.exe gpr_host_port_test.exe gpr_log_test.exe gpr_slice_buffer_test.exe gpr_slice_test.exe gpr_string_test.exe gpr_sync_test.exe gpr_thd_test.exe gpr_time_test.exe gpr_useful_test.exe grpc_base64_test.exe grpc_byte_buffer_reader_test.exe grpc_channel_stack_test.exe grpc_completion_queue_test.exe grpc_credentials_test.exe grpc_json_token_test.exe grpc_stream_op_test.exe hpack_parser_test.exe hpack_table_test.exe httpcli_format_request_test.exe httpcli_parser_test.exe httpcli_test.exe json_rewrite_test.exe json_test.exe lame_client_test.exe message_compress_test.exe metadata_buffer_test.exe multi_init_test.exe murmur_hash_test.exe no_server_test.exe poll_kick_posix_test.exe resolve_address_test.exe secure_endpoint_test.exe sockaddr_utils_test.exe tcp_client_posix_test.exe tcp_posix_test.exe tcp_server_posix_test.exe time_averaged_stats_test.exe time_test.exe timeout_encoding_test.exe transport_metadata_test.exe 
+buildtests: alarm_heap_test.exe alarm_list_test.exe alarm_test.exe alpn_test.exe bin_encoder_test.exe census_hash_table_test.exe census_statistics_multiple_writers_circular_buffer_test.exe census_statistics_multiple_writers_test.exe census_statistics_performance_test.exe census_statistics_quick_test.exe census_statistics_small_log_test.exe census_stats_store_test.exe census_stub_test.exe census_trace_store_test.exe census_window_stats_test.exe chttp2_status_conversion_test.exe chttp2_stream_encoder_test.exe chttp2_stream_map_test.exe chttp2_transport_end2end_test.exe dualstack_socket_test.exe echo_test.exe fd_posix_test.exe fling_stream_test.exe fling_test.exe gpr_cancellable_test.exe gpr_cmdline_test.exe gpr_env_test.exe gpr_file_test.exe gpr_histogram_test.exe gpr_host_port_test.exe gpr_log_test.exe gpr_slice_buffer_test.exe gpr_slice_test.exe gpr_string_test.exe gpr_sync_test.exe gpr_thd_test.exe gpr_time_test.exe gpr_useful_test.exe grpc_base64_test.exe grpc_byte_buffer_reader_test.exe grpc_channel_stack_test.exe grpc_completion_queue_test.exe grpc_credentials_test.exe grpc_json_token_test.exe grpc_stream_op_test.exe hpack_parser_test.exe hpack_table_test.exe httpcli_format_request_test.exe httpcli_parser_test.exe httpcli_test.exe json_rewrite_test.exe json_test.exe lame_client_test.exe message_compress_test.exe metadata_buffer_test.exe multi_init_test.exe murmur_hash_test.exe no_server_test.exe poll_kick_posix_test.exe resolve_address_test.exe secure_endpoint_test.exe sockaddr_utils_test.exe tcp_client_posix_test.exe tcp_posix_test.exe tcp_server_posix_test.exe time_averaged_stats_test.exe time_test.exe timeout_encoding_test.exe transport_metadata_test.exe transport_security_test.exe 
 	echo All tests built.
 
-test: alarm_heap_test alarm_list_test alarm_test alpn_test bin_encoder_test census_hash_table_test census_statistics_multiple_writers_circular_buffer_test census_statistics_multiple_writers_test census_statistics_performance_test census_statistics_quick_test census_statistics_small_log_test census_stats_store_test census_stub_test census_trace_store_test census_window_stats_test chttp2_status_conversion_test chttp2_stream_encoder_test chttp2_stream_map_test chttp2_transport_end2end_test dualstack_socket_test echo_test fd_posix_test fling_stream_test fling_test gpr_cancellable_test gpr_cmdline_test gpr_env_test gpr_file_test gpr_histogram_test gpr_host_port_test gpr_log_test gpr_slice_buffer_test gpr_slice_test gpr_string_test gpr_sync_test gpr_thd_test gpr_time_test gpr_useful_test grpc_base64_test grpc_byte_buffer_reader_test grpc_channel_stack_test grpc_completion_queue_test grpc_credentials_test grpc_json_token_test grpc_stream_op_test hpack_parser_test hpack_table_test httpcli_format_request_test httpcli_parser_test httpcli_test json_rewrite_test json_test lame_client_test message_compress_test metadata_buffer_test multi_init_test murmur_hash_test no_server_test poll_kick_posix_test resolve_address_test secure_endpoint_test sockaddr_utils_test tcp_client_posix_test tcp_posix_test tcp_server_posix_test time_averaged_stats_test time_test timeout_encoding_test transport_metadata_test 
+test: alarm_heap_test alarm_list_test alarm_test alpn_test bin_encoder_test census_hash_table_test census_statistics_multiple_writers_circular_buffer_test census_statistics_multiple_writers_test census_statistics_performance_test census_statistics_quick_test census_statistics_small_log_test census_stats_store_test census_stub_test census_trace_store_test census_window_stats_test chttp2_status_conversion_test chttp2_stream_encoder_test chttp2_stream_map_test chttp2_transport_end2end_test dualstack_socket_test echo_test fd_posix_test fling_stream_test fling_test gpr_cancellable_test gpr_cmdline_test gpr_env_test gpr_file_test gpr_histogram_test gpr_host_port_test gpr_log_test gpr_slice_buffer_test gpr_slice_test gpr_string_test gpr_sync_test gpr_thd_test gpr_time_test gpr_useful_test grpc_base64_test grpc_byte_buffer_reader_test grpc_channel_stack_test grpc_completion_queue_test grpc_credentials_test grpc_json_token_test grpc_stream_op_test hpack_parser_test hpack_table_test httpcli_format_request_test httpcli_parser_test httpcli_test json_rewrite_test json_test lame_client_test message_compress_test metadata_buffer_test multi_init_test murmur_hash_test no_server_test poll_kick_posix_test resolve_address_test secure_endpoint_test sockaddr_utils_test tcp_client_posix_test tcp_posix_test tcp_server_posix_test time_averaged_stats_test time_test timeout_encoding_test transport_metadata_test transport_security_test 
 	echo All tests ran.
 
 test_gpr: gpr_cancellable_test gpr_cmdline_test gpr_env_test gpr_file_test gpr_histogram_test gpr_host_port_test gpr_log_test gpr_slice_buffer_test gpr_slice_test gpr_string_test gpr_sync_test gpr_thd_test gpr_time_test gpr_useful_test 
@@ -702,3 +702,11 @@ transport_metadata_test: transport_metadata_test.exe
 	echo Running transport_metadata_test
 	$(OUT_DIR)\transport_metadata_test.exe
 
+transport_security_test.exe: grpc_test_util
+	echo Building transport_security_test
+	$(CC) $(CFLAGS) /Fo:$(OUT_DIR)\ ..\..\test\core\tsi\transport_security_test.c 
+	$(LINK) $(LFLAGS) /OUT:"$(OUT_DIR)\transport_security_test.exe" Debug\grpc_test_util.lib Debug\grpc.lib Debug\gpr_test_util.lib Debug\gpr.lib $(LIBS) $(OUT_DIR)\transport_security_test.obj 
+transport_security_test: transport_security_test.exe
+	echo Running transport_security_test
+	$(OUT_DIR)\transport_security_test.exe
+