This change is being backported as it is a bug-fix for a regression for a fix that was also applied to this branch. Merging this fixes the regression.

See istio/istio#53426. Istio has used underscores in their SNI since the beginning and it is critical to its functionality. Usage of underscores in SNI is a bit of a grey area in the RFCs, which are extremely under-specified wrt to what exactly is the allowed formats. However, the de-facto standard is to allow them, as virtually every TLS library does so (including, but not limited to, Golang, rustls, openssl, boringssl).

This PR loosens the restriction to additionally allow underscores.

Note the intent of the SNI restrictions was not RFC compliance, etc -- but rather to fix log
injection attacks (putting ANSI escapes, HTML, etc) into logs. This change does not loosen the security properties we hoped to gain with the initial patch.

Signed-off-by: John Howard [email protected]
(cherry picked from commit 79ee342)

Request variables

Key	Value
ref	73e162d
sha	3ba185c
pr	36997
base-sha	e5ef1c4
actor	@howardjohn
message	1.31 backport: Relax recent SNI restrictions (#36950)...
started	1730931231.241437
target-branch	release/v1.31
trusted	false

Container image/s (as used in this CI run)

Envoy version (as used in this CI run)