Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SNI is not Supported on the Server #70

Open
ctrlshp opened this issue Jun 4, 2020 · 6 comments
Open

SNI is not Supported on the Server #70

ctrlshp opened this issue Jun 4, 2020 · 6 comments
Labels
bug

Comments

@ctrlshp
Copy link

ctrlshp commented Jun 4, 2020

I am using the latest 4.0.0-SNAPSHOT of the Vert.x stack. I tested this with the Java server app running on macOS 10.15.14, ubuntu 20.04, Windows 10 on a AdoptOpenJDK 11.0.7 JVM. I am using openssl test client like so :

openssl s_client -showcerts -servername grpc.example.com -connect grpc.example.com:443

I am setting the SSL options with the setPfxKeyCertOptions and setSni(true). The PFX/P12/PKCS 12 key store contains key/cert entries for all the hostnames the server is serving for, including "localhost", and for the sake of this example, "grpc.example.com". If I start a normal Vert.x HTTP/2 server, it responds to the test openssl command correctly, whereas the gRPC server does not.
@ctrlshp ctrlshp added the bug label Jun 4, 2020
@pmlopes
Copy link
Member

pmlopes commented Dec 2, 2020

@vietj I am guessing the issue here could be related how core is used to start the server.

@vietj
Copy link
Contributor

vietj commented Dec 2, 2020

@pmlopes I think this is an issue of gRPC Netty server. SNI requires a specific Netty Handler to operate.

@vietj
Copy link
Contributor

vietj commented Dec 2, 2020

note that if we reimplement a Vert.x transport for gRPC this would work

@vietj
Copy link
Contributor

vietj commented Dec 2, 2020

I created this issue because I believe this is a desirable feature to have in v4 #83

@theangrydev
Copy link

See grpc/grpc-java#7397 (comment) where I was advised that SNI support with grpc-java is recommended to be achieved by manipulating the key store and relying on default handling for SNI in Java

@vietj
Copy link
Contributor

vietj commented Mar 25, 2021 via email

cescoffier added a commit to cescoffier/quarkus that referenced this issue May 6, 2021
@cescoffier
Add support for SNI (Server Name Indication) for the HTTP server.
25f2b59 
With SNI enabled, the server can handle multiple certificates. During the TLS handshake, the client indicates the service name allowing the service to looks for the correct certificate and completes the handshake.

The JKS and PKCS12 format allow the key stores to contain multiple certificates. However, the PEM format does not allow that. For this reason, the configuration of the PEM certificate and key are now accepting lists of paths. The previous (singular) form are deprecated but still supported.

SNI must be enabled explicitly as the server cannot verify if the key stores contain multiple certificates (JKS / PKCS12).

This commit does not enable SNI on gRPC, as the gRPC server does not handle it. See vert-x3/vertx-grpc#70 for details.

Fix quarkusio#16851
@cescoffier cescoffier mentioned this issue May 6, 2021
Merged
cescoffier added a commit to cescoffier/quarkus that referenced this issue May 7, 2021
@cescoffier
Add support for SNI (Server Name Indication) for the HTTP server.
272119d 
With SNI enabled, the server can handle multiple certificates. During the TLS handshake, the client indicates the service name allowing the service to looks for the correct certificate and completes the handshake.

The JKS and PKCS12 format allow the key stores to contain multiple certificates. However, the PEM format does not allow that. For this reason, the configuration of the PEM certificate and key are now accepting lists of paths. The previous (singular) form are deprecated but still supported.

SNI must be enabled explicitly as the server cannot verify if the key stores contain multiple certificates (JKS / PKCS12).

This commit does not enable SNI on gRPC, as the gRPC server does not handle it. See vert-x3/vertx-grpc#70 for details.

Fix quarkusio#16851
gastaldi pushed a commit to gastaldi/quarkus that referenced this issue May 7, 2021
@cescoffier @gastaldi
Add support for SNI (Server Name Indication) for the HTTP server.
a9f604b 
With SNI enabled, the server can handle multiple certificates. During the TLS handshake, the client indicates the service name allowing the service to looks for the correct certificate and completes the handshake.

The JKS and PKCS12 format allow the key stores to contain multiple certificates. However, the PEM format does not allow that. For this reason, the configuration of the PEM certificate and key are now accepting lists of paths. The previous (singular) form are deprecated but still supported.

SNI must be enabled explicitly as the server cannot verify if the key stores contain multiple certificates (JKS / PKCS12).

This commit does not enable SNI on gRPC, as the gRPC server does not handle it. See vert-x3/vertx-grpc#70 for details.

Fix quarkusio#16851
@vietj vietj removed their assignment Oct 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Milestone
No milestone
Development

No branches or pull requests
4 participants
@vietj @pmlopes @theangrydev @ctrlshp