HTTPS client should support SNI

[lizan]

The HTTPS client fetching auth public key doesn't support SNI, in some case ESP won't be able to fetch keys. See #262

[qiwzhang]

Does Nginx proxy_pass upstream support SNI? Is this just our "http.cc" code issue or this is the whole Nginx issue?

[bourquep]

Any idea when this might be implemented? I'm facing the same situation.

[MrBlaise]

Without this I cannot use my custom domain on auth0.

My scenario:

• Using custom domain on Auth0 for my api.
• Auth0 manages the certificate for that domain using let's encrypt
• ESP gives an error:
  2018/05/31 12:44:34 [error] 11#11: upstream SSL certificate verify error: (18:self signed certificate)
2018/05/31 12:44:34 [warn] 11#11: upstream server temporarily disabled
• But openssl s_client -showcerts -servername auth.redacted.com -connect auth.redacted.com:443 finds the cert properly (the important part is -servername, without that it fails with self-signed error as well)

[Daniel-Houston]

We are having the exact problem as mentioned by MrBlaise using our custom domain with Okta. We are unable to use that custom domain until it is fixed.

[lei-tang]

@bourquep , @MrBlaise , @Daniel-Houston, can you share your configurations and your steps to reproduce the problem?

[MrBlaise]

Nothing special configuration, I am doing everything that is written in the Kubernetes Engine tutorial (https://cloud.google.com/endpoints/docs/openapi/get-started-kubernetes-engine) and then set up custom domain according to this: https://cloud.google.com/endpoints/docs/openapi/serving-apis-from-domains I also use auth0 so I followed this guide: https://auth0.com/docs/integrations/google-cloud-platform

The error I get is written in my previous answer.

EDIT:
To reproduce the issue you need a custom domain with a let's encrypt certificate that uses SNI, and try to use that with ESP.

swagger: "2.0"
info:
  description: "REDACTED"
  title: "REDACTED"
  version: "1.0.0"
host: "redacted.redacted.com"
x-google-endpoints:
- name: "redacted.redacted.com"
  allowCors: "true"

[MrBlaise]

Sorry I left most important part

ecurityDefinitions:
  auth0_jwt:
    authorizationUrl: ""
    flow: "implicit"
    type: "oauth2"
    x-google-issuer: "https://auth.redacted.com"
    x-google-jwks_uri: "https://auth.redacted.com/.well-known/jwks.json"
    x-google-audiences: "https://redacted.api"

The https://auth.redacted.com will fail with self signed error, when trying to authenticate the user.

[lei-tang]

@MrBlaise , thank you for sharing the steps to reproduce the problem!

[lei-tang]

The support of SNI (Server Name Indication) for https clients has been added to ESP by the commit 3fe87fd.

[MrBlaise]

Great news! Thank you! When will this release?

[lei-tang]

It should be released either this week or next week.

[lizan]

ESP 1.20.0 was released and contains the fix. Let me know if this solves your issue.

[MrBlaise]

It works now 🎉 Thanks!