Skip to content

PR to set SNI during boost lib websocket next_layer() SSL handshake process happen during launch of app tunneling. #142

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 19, 2023
Merged

PR to set SNI during boost lib websocket next_layer() SSL handshake process happen during launch of app tunneling. #142

merged 2 commits into from
Oct 19, 2023

Conversation

@jaiswal-sumit
Copy link
Contributor

@jaiswal-sumit jaiswal-sumit commented Sep 14, 2023
edited
Loading

This PR to set SNI during boost lib websocket next_layer() SSL handshake process happen during launch of app tunneling.

Motivation

  • We have a use case for running AWS IoT secure tunnel within a Customer Managed VPN, along with a proxy service infrastructure to route multiple external services on a single domain. During the Customer Managed VPN setup, we noticed that the SSL handshake was failing when launching the local proxy. After a detailed investigation of the issue, we found that the code was not setting the Server Name Indication (SNI) during the initial SSL handshake call in the 'Client Hello' of the next_layer() SSL handshake code.
  • This issue is linked to the Boost Beast WebSocket Secure (WSS) stream library code, which does not supply SNI by default during the next_layer() async_ssl_handshake() function. Therefore, following the example provided by the Boost library, it is suggested to use the SSL_set_tlsext_host_name function to set the SNI.
  • This PR aims to resolve the SSL handshake issue and ensure that the code functions correctly in both non-VPN and VPN application tunnels.
  • Issue number: AWS Case id: 13813696371

Modifications

Change summary

Supplied host string From TcpAdapter which initiates async_ssl_hanshake
Extend WebSocketStream async_ssl_hanshake to take host string and use that to set SNI.
WebSocketSteam async_ssl_hanshake() code added with SSL_set_tlsext_host_name to set SNI with host string.

Revision diff summary

NA

Testing

**Is your change tested? Yes
Please list your testing steps and test results.
Login into CMVPN infra,
Deploy the fixed code localproxy execuable
open the tunnel.
Check the connection status
Connection status found connected at both sides

  • CI test run result: NA

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@jaiswal-sumit
with Private VPN, it is important that SNI are supplied for SSL hands…
7ca4727 
…hake, hence this change ensure that SNI is set for next_layer() which is client hello call. Test and working fine.
@jaiswal-sumit jaiswal-sumit changed the title with Private VPN, it is important that SNI are supplied for SSL hands… PR to set SNI during boost lib websocket next_layer() SSL handshake process happen during launch of app tunneling. Sep 15, 2023
@RogerZhongAWS
Copy link
Contributor

RogerZhongAWS commented Sep 20, 2023

Hey, thanks the description of your issue and for your contribution. This looks fine to me, will merge as soon as we get a second approval on this.

RogerZhongAWS
RogerZhongAWS previously approved these changes Sep 22, 2023
View reviewed changes
kareali
kareali suggested changes Sep 28, 2023
View reviewed changes
abeytr
abeytr approved these changes Oct 12, 2023
View reviewed changes
Copy link

@abeytr abeytr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We tested this for the following workflows and it is working as expected:

  1. localProxy connection over private urls
  2. localProxy connection over public urls

@RogerZhongAWS RogerZhongAWS merged commit d3150e0 into aws-samples:main Oct 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

4 more reviewers

@HarshGandhi-AWS HarshGandhi-AWS HarshGandhi-AWS left review comments

@abeytr abeytr abeytr approved these changes

@kareali kareali kareali approved these changes

@RogerZhongAWS RogerZhongAWS RogerZhongAWS approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@jaiswal-sumit @RogerZhongAWS @abeytr @HarshGandhi-AWS @kareali