Enable TLS SNI by setting peer_name to $host in $ssl_options #785
Conversation
carlhoerberg
force-pushed
the
tls-sni
branch
3 times, most recently
from
257f718
to
125b6ba
Compare
|
Thanks a lot @carlhoerberg . I see those options can be provided via constructor, there is no need to define them for each secure connection. ATM we don't have automated tests for secure connection and this is the first time when somebody asks for this feature, also might be some backward incompatibility. Having all this i would like to keep it as it is now. |
|
There's no backward incompatibility, all servers that doesn't have SNI enabled will simply ignore it, it's simply an extra field in the ClientHello package only. This change does not enable hostname verification for instance, that would be a braking change. |
|
Not setting the SNI header is like for web browser to not set the "Host" header, load balancers/proxys have no idea which host you actually want to reach, they can then only see which IP and port you connected to, so if you have multiple AMQP servers behind the same IP and port phpamqplib whould need a lot of hassling to get it to work, this fix will fix that, and for everybody else it's a noop. |
|
It also allows you to have multiple certificates for the same RabbitMQ server, which is something we see quite often. The server then knows which of the certificates to send back to the client. |
|
Relevant documentation: https://www.php.net/manual/en/context.ssl.php |
|
I've verified a number of AMQP libraries, if they have SNI enabled by default or not: SNI enabled by default:
SNI not enabled by default:
|
|
Thanks @carlhoerberg |
revert #785 'Enable TLS SNI by default'
Enable TLS SNI by setting peer_name to $host in $ssl_options
revert php-amqplib#785 'Enable TLS SNI by default'
Required if multiple AMQP servers are behind a TLS termintator/load-balancer.