Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SNI, enhanced SSL, static name resolver #487

Open
wants to merge 41 commits into
base: master
from

Conversation

@kachayev
Copy link
Collaborator

kachayev commented Feb 16, 2019

Quick note, this PR has some overlapped functionality with #480.

SNI

  • configuration options for http/connection-pool to disable SNI or provide peer host value manually (effectively, emulating openssl client -servername <host>)

  • server now supports SNI when :sni option is provided with mapping from domain names to appropriate SslContext

Netty's SniHandler (even AbstractSniHandler to be more specific) is implemented in quite liberal fashion: it requires default SslContext to be provided falling back to it when no matching hosts found, when server_name is not provided, when there's an issue with the ClientHello etc... Right now I do the same for Aleph configuration, just throwing IllegalArgumentException when no default context is provided. Ideally, there should be an option to implement strict validation, e.g. reject non-SNI clients.

P.S. It turned out that JDK does the same, silently ignoring SNI matchers when ClientHello has no server_name extension at all.

SSL

  • extended version of netty/ssl-client-context and netty/ssl-server-context to manage SslContext objects w/o Java interop

  • ssl-context now can be configured passing a map of options instead of calling a helper or juggling with Java interop, so you can do e.g.

:ssl-context {:private-key <>
              :protocols ["TLSv1.1" "TLSv1.2"]}
  • client catches SSL handshake exceptions and returns them to the caller instead of silently closing the connection after the timeout

  • server does not log a full stack trace for failed SSL handshake, just a single line warning

Static Name Resolver

This was actually done mostly to test SNI support but it's still a useful standalone feature. netty/static-resolver-group creates an address resolver group to be used as a param for http/connection-pool that resolves the list of given hosts to given IP addresses, similar to what curl --resolve <mapping> does.

kachayev added 30 commits Feb 12, 2019
…es default SSL configuration for not-found domain
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.