xds: Avoid using empty SNI string that was never sent, for SAN validation (#12532)

Author: kannanjgithub

xds/src/main/java/io/grpc/xds/internal/security/SecurityProtocolNegotiators.java

@@ -219,8 +219,10 @@ public void handlerAdded(ChannelHandlerContext ctx) throws Exception {
         String sniToUse = upstreamTlsContext.getAutoHostSni()
             && !Strings.isNullOrEmpty(endpointHostname)
             ? endpointHostname : upstreamTlsContext.getSni();
-        if (sniToUse.isEmpty() && CertificateUtils.useChannelAuthorityIfNoSniApplicable) {
-          sniToUse = grpcHandler.getAuthority();
+        if (sniToUse.isEmpty()) {
+          if (CertificateUtils.useChannelAuthorityIfNoSniApplicable) {
+            sniToUse = grpcHandler.getAuthority();
+          }
           autoSniSanValidationDoesNotApply = true;
         } else {
           autoSniSanValidationDoesNotApply = false;