Add support for setting SNI hostname and set for client SSL handler #1698
Conversation
lulf
force-pushed
the
support-tls-sni-client-option
branch
from
4b2f3e5
to
1adc8b6
Compare
|
I wasn't sure if this should be put in ClientOptionsBase instead, since I think it only makes sense for clients. But I came to the conclusion that I liked it better along with other ssl options. |
lulf
force-pushed
the
support-tls-sni-client-option
branch
from
1adc8b6
to
6642cc8
Compare
|
I just checked and it supports only a single host, we want instead to support a mapping of domain->key/cert that is supported by Netty's so it seems (as far as I understand after a quick look), we should use the the TCPSSLOptions would have a Map<String, KeyCertOptions> somehow. |
lulf
force-pushed
the
support-tls-sni-client-option
branch
from
6642cc8
to
bc694f0
Compare
|
@vietj I've updated the PR to use SniHandler for server side mapping of host -> SslContext instead of SNIMatcher directly. The end2end interaction is tested in the SSLEngineTest integration test, where I made it use a different certificate for the sni host. I haven't paid much attention to how this is exposed in the options, so please comment on how you would like that. |
lulf
force-pushed
the
support-tls-sni-client-option
branch
from
bc694f0
to
3ebf171
Compare
|
@lulf thanks going to review it next week |
| @@ -280,6 +281,13 @@ public HttpServerOptions addEnabledCipherSuite(String suite) { | |||
| } | |||
|
|
|||
| @Override | |||
| @GenIgnore | |||
There was a problem hiding this comment.
I believe we should try to handle Map<String, Options> in codegen to not have GenIgnore
|
lulf
force-pushed
the
support-tls-sni-client-option
branch
2 times, most recently
from
fe6ce6c
to
93fa66d
Compare
|
Instructions added, and I added a single test to HttpTLSTest that verifies that the cert is working. It's generated the same way as the server-cert.pem, because for SNI I needed another cert that was not trusted by the default ssl context. I'm not sure if adding more tests to HttpTLSTest is necessary. Also, there are some test failures I need to look into that I just discovered. |
* Allow setting SNI hostname for clients * Allow adding different key store options for servers Signed-off-by: Ulf Lilleengen <ulf.lilleengen@gmail.com>
lulf
force-pushed
the
support-tls-sni-client-option
branch
from
93fa66d
to
53e9bf2
Compare
|
In addition to addressing your comments, I had to add some more functionality to SSLHelper to be able to support listening for handshakes and setting SSLEngine properties as several tests were failing due to that. Now all the unit tests pass here. |
|
@lulf has it been pushed ? can you update the issue and list all the changes ? |
|
All code is pushed to this branch yes. Not sure what issue you are referring to, but these are the changes I've done:
|
|
Ah, that issue :) |
|
@lulf there are a few things to change but before continuing I would like to focus on the most important part: The SSL test in Such test can only be added if the *Client supports SNI as well or if we use directly Netty to write the client part of the tests. So right now we need to have at least the |
|
This is tested in src/test/java/io/vertx/test/it/SSLEngineTest.java . It uses HttpServer and I modified it to tests that a client sets SNI and that it works and doesn't work. |
|
@lulf my bad I did not have the correct version of files I see now createSNIHandler called by HttpServer and client still the test |
|
That is why i was a bit puzzled why I should have to add that test, since I already tested it in SSLEngineTest. I thought it was just to test certificate validity. I can extend that test to use SNI also, although it would still test the same thing. |
|
@lulf yes, I beleive the Trust / Cert classes should configure the TCPSSLOptions rather with somehting configure(TCPSSLOPtions) which means a bit of refactoring. |
* Add a few testcases to test different combinations
|
I modified the TLSTest to take a SNI parameter for client and for server, and extended with a few testcases. I'll just create separate commits during the review and squash them at the end to make it easier to see what has changed. |
| /** | ||
| * Custom SNI handler that allows for listening to handshakes and configuring the SSLEngine. | ||
| */ | ||
| public class SNIHandler extends SniHandler { |
There was a problem hiding this comment.
Make it a normal class (not inner) and rename VertxSniHandler
| @@ -292,6 +292,12 @@ public HttpClientOptions setSsl(boolean ssl) { | |||
| } | |||
|
|
|||
| @Override | |||
| public HttpClientOptions setSNIServerName(String serverName) { | |||
There was a problem hiding this comment.
rename setSniServerName as the rest of the options tends to use non capital acronyms
|
@lulf so here is what we can do : add a |
|
@lulf any news for |
|
@vietj I've added the method to the interface but haven't been able to wire things in the implementation yet. A bit busy the coming days unfortunately. |
|
@lulf thanks for the headsup |
|
Is there any chance to get this feature into 3.4.1? |
|
@theoweiss Unfortunately I don't have any time left to work on this these days, and there seems to be a lot of code changes in the code that the PR touches, so I don't think this will be merged unless someone else picks up the pieces or restarts the effort. |
|
the effort is interesting, I would really like to grap well how the SNI configuration side, both on the server and on the client. for instance it seems possible with Java keystores to map SNI hostname using keystores aliases instead of having a Map<String, KeyCertOptions> / Map<String, TrustOptions> which would get the actual stuff simpler. |
|
and I would like it to be done soon, perhaps in a Vert.x 3.4.2 release. I believe the technical bits are here, it's only a matter of providing good configuration imho. |
|
I've started a new branch for SNI (reused a few bits of this PR, thanks) : https://github.com/eclipse/vert.x/tree/sni-support At the moment it provides NetSocket support only, the main point is the extension of the @xkr47 you are probably interested in following this branch |
|
@vietj sure!
|
|
thanks for the feedback, will take it in account |
|
you can know already the certificate on NetSocket, I believe we should add the same on HttpConnection and both should have the serverName |
|
I've mostly finished the SNI support (not the docs yet) : you can have a look https://github.com/eclipse/vert.x/tree/sni-support |
|
@lulf can you have a look at it and how it can be used for your use cases ? |
|
I would propose that DEFAULT_SNI is changed to |
|
the |
|
@xkr47 you mean for |
Yes |
|
@xkr47 I propose to leave it as false for now for the release 3.4.x and switch it to true when we'll be on 3.5.0-SNAPSHOT |
|
closing this PR, thanks @lulf for the contribution |
|
Thanks @lulf! |
No description provided.