Allow to get the SNI server name on the connection

eclipse-vertx · Apr 26, 2017 · 82e4ccf · 82e4ccf
1 parent 12208e7
commit 82e4ccf
Show file tree

Hide file tree

Showing 7 changed files with 50 additions and 13 deletions.
diff --git a/src/main/java/io/vertx/core/http/HttpConnection.java b/src/main/java/io/vertx/core/http/HttpConnection.java
@@ -264,4 +264,11 @@ default HttpConnection goAway(long errorCode, int lastStreamId) {
    */
   @GenIgnore
   X509Certificate[] peerCertificateChain() throws SSLPeerUnverifiedException;
+
+  /**
+   * Returns the SNI server name presented during the SSL handshake by the client.
+   *
+   * @return the indicated server name
+   */
+  String indicatedServerName();
 }
diff --git a/src/main/java/io/vertx/core/http/impl/VertxHttp2NetSocket.java b/src/main/java/io/vertx/core/http/impl/VertxHttp2NetSocket.java
@@ -287,4 +287,9 @@ public boolean isSsl() {
   public X509Certificate[] peerCertificateChain() throws SSLPeerUnverifiedException {
     return conn.peerCertificateChain();
   }
+
+  @Override
+  public String indicatedServerName() {
+    return conn.indicatedServerName();
+  }
 }
diff --git a/src/main/java/io/vertx/core/net/NetSocket.java b/src/main/java/io/vertx/core/net/NetSocket.java
@@ -241,5 +241,12 @@ default NetSocket sendFile(String filename, long offset, Handler<AsyncResult<Voi
    */
   @GenIgnore
   X509Certificate[] peerCertificateChain() throws SSLPeerUnverifiedException;
+
+  /**
+   * Returns the SNI server name presented during the SSL handshake by the client.
+   *
+   * @return the indicated server name
+   */
+  String indicatedServerName();
 }
 
diff --git a/src/main/java/io/vertx/core/net/impl/ConnectionBase.java b/src/main/java/io/vertx/core/net/impl/ConnectionBase.java
@@ -272,6 +272,14 @@ public X509Certificate[] peerCertificateChain() throws SSLPeerUnverifiedExceptio
     }
   }
 
+  public String indicatedServerName() {
+    if (channel.hasAttr(VertxSniHandler.SERVER_NAME_ATTR)) {
+      return channel.attr(VertxSniHandler.SERVER_NAME_ATTR).get();
+    } else {
+      return null;
+    }
+  }
+
   public String remoteName() {
     InetSocketAddress addr = (InetSocketAddress) channel.remoteAddress();
     if (addr == null) return null;

diff --git a/src/main/java/io/vertx/core/net/impl/VertxSniHandler.java b/src/main/java/io/vertx/core/net/impl/VertxSniHandler.java
@@ -20,6 +20,8 @@
 import io.netty.handler.ssl.SniHandler;
 import io.netty.handler.ssl.SslContext;
 import io.netty.handler.ssl.SslHandler;
+import io.netty.util.Attribute;
+import io.netty.util.AttributeKey;
 import io.netty.util.ReferenceCountUtil;
 import io.netty.util.concurrent.DefaultPromise;
 import io.netty.util.concurrent.EventExecutor;
@@ -34,8 +36,9 @@
  */
 public class VertxSniHandler extends SniHandler {
 
+  public static AttributeKey<String> SERVER_NAME_ATTR = AttributeKey.valueOf("sniServerName");
+
   private final SSLHelper helper;
-  private final VertxInternal vertx;
   private ChannelHandlerContext context;
   private final Promise<Channel> handshakeFuture;
 
@@ -44,7 +47,6 @@ public VertxSniHandler(SSLHelper helper, VertxInternal vertx) {
       return helper.getContext(vertx, input);
     });
     this.helper = helper;
-    this.vertx = vertx;
     this.handshakeFuture = new DefaultPromise<Channel>() {
       @Override
       protected EventExecutor executor() {
@@ -76,6 +78,8 @@ protected void replaceHandler(ChannelHandlerContext ctx, String hostname, SslCon
       Future<Channel> fut = sslHandler.handshakeFuture();
       fut.addListener(future -> {
         if (future.isSuccess()) {
+          Attribute<String> val = ctx.channel().attr(SERVER_NAME_ATTR);
+          val.set(hostname);
           handshakeFuture.setSuccess(ctx.channel());
         } else {
           handshakeFuture.setFailure(future.cause());

diff --git a/src/test/java/io/vertx/test/core/HttpTLSTest.java b/src/test/java/io/vertx/test/core/HttpTLSTest.java
@@ -382,13 +382,13 @@ public void testTLSClientCertPEMRequiredOpenSSL() throws Exception {
   @Test
   // Client provides SNI and server responds with a matching certificate for the indicated server name
   public void testSNITrust() throws Exception {
-    X509Certificate cert = testTLS(Cert.NONE, Trust.SNI_JKS_HOST1, Cert.SNI_JKS, Trust.NONE)
+    TLSTest test = testTLS(Cert.NONE, Trust.SNI_JKS_HOST1, Cert.SNI_JKS, Trust.NONE)
         .serverSni()
         .clientSni()
         .requestOptions(new RequestOptions().setSsl(true).setPort(4043).setHost("host1"))
-        .pass()
+        .pass();
-        .clientPeerCert();
+    assertEquals("host1", TestUtils.cnOf(test.clientPeerCert()));
-    assertEquals("host1", TestUtils.cnOf(cert));
+    assertEquals("host1", test.indicatedServerName);
   }
 
   @Test
@@ -461,13 +461,13 @@ public void testSNIUnknownServerName2() throws Exception {
   @Test
   // Client provides SNI matched on the server by a wildcard certificate
   public void testSNIWildcardMatch() throws Exception {
-    X509Certificate cert = testTLS(Cert.NONE, Trust.SNI_JKS_HOST3, Cert.SNI_JKS, Trust.NONE)
+    TLSTest test = testTLS(Cert.NONE, Trust.SNI_JKS_HOST3, Cert.SNI_JKS, Trust.NONE)
         .serverSni()
         .clientSni()
         .requestOptions(new RequestOptions().setSsl(true).setPort(4043).setHost("sub.host3"))
-        .pass()
+        .pass();
-        .clientPeerCert();
+    assertEquals("*.host3", TestUtils.cnOf(test.clientPeerCert()));
-    assertEquals("*.host3", TestUtils.cnOf(cert));
+    assertEquals("sub.host3", test.indicatedServerName);
   }
 
   @Test
@@ -699,11 +699,11 @@ public void testSNIWithOpenSSL() throws Exception {
 
   @Test
   public void testSNIClientDisabled() throws Exception {
-    testTLS(Cert.NONE, Trust.SNI_JKS_HOST1, Cert.SNI_JKS, Trust.NONE)
+    TLSTest test = testTLS(Cert.NONE, Trust.SNI_JKS_HOST1, Cert.SNI_JKS, Trust.NONE)
         .serverSni()
         .requestOptions(new RequestOptions().setSsl(true).setPort(4043).setHost("host1"))
-        .fail()
+        .fail();
-        .clientPeerCert();
+    assertNull(test.indicatedServerName);
   }
 
 
@@ -774,6 +774,7 @@ class TLSTest {
       return client.request(HttpMethod.POST, 4043, httpHost, DEFAULT_TEST_URI);
     };
     X509Certificate clientPeerCert;
+    String indicatedServerName;
 
     public TLSTest(Cert<?> clientCert, Trust<?> clientTrust, Cert<?> serverCert, Trust<?> serverTrust) {
       this.version = HttpVersion.HTTP_1_1;
@@ -983,6 +984,7 @@ TLSTest run(boolean shouldPass) {
       }
       server = createHttpServer(serverOptions.setPort(4043));
       server.requestHandler(req -> {
+        indicatedServerName = req.connection().indicatedServerName();
         assertEquals(version, req.version());
         req.bodyHandler(buffer -> {
           assertEquals(serverSSL, req.isSSL());

diff --git a/src/test/java/io/vertx/test/core/NetTest.java b/src/test/java/io/vertx/test/core/NetTest.java
@@ -1252,6 +1252,7 @@ public void testSniWithServerName1() throws Exception {
     test.run(true);
     await();
     assertEquals("host1", cnOf(test.clientPeerCert()));
+    assertEquals("host1", test.indicatedServerName);
   }
 
   @Test
@@ -1349,6 +1350,7 @@ class TLSTest {
     boolean sni;
     String serverName;
     X509Certificate clientPeerCert;
+    String indicatedServerName;
 
     public TLSTest clientCert(Cert<?> clientCert) {
       this.clientCert = clientCert;
@@ -1445,6 +1447,7 @@ void run(boolean shouldPass) {
       options.setPort(4043);
       server = vertx.createNetServer(options);
       Handler<NetSocket> serverHandler = socket -> {
+        indicatedServerName = socket.indicatedServerName();
         if (socket.isSsl()) {
           certificateChainChecker.accept(socket);
         }
@@ -1454,6 +1457,7 @@ void run(boolean shouldPass) {
           socket.write(buff); // echo the data
           if (startTLS) {
             if (upgradedServer.compareAndSet(false, true)) {
+              indicatedServerName = socket.indicatedServerName();
               assertFalse(socket.isSsl());
               socket.upgradeToSsl(v -> {
                 certificateChainChecker.accept(socket);