Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: set hostname for SNI #113

Merged
merged 1 commit into from
Sep 4, 2024
Merged

feat: set hostname for SNI #113

merged 1 commit into from
Sep 4, 2024

Conversation

billy34
Copy link

@billy34 billy34 commented Aug 30, 2024

This pull request enhances TLSTransport to allow Server Name Identification (SNI) on server.

The hostname must be set in the SSLContext which is not available as a parameter on RedisConnection.

To reduce the changes introduced, I decided to forward the host given as a parameter to transport function to the call of TLSTransport and so added a host parameter to it also.

Then according to the MbedTLS documentation

  • I do not set hostname if it was provided as an IPv4 or IPv6 address as it is unsupported.
  • I set hostname otherwise as it is harmless even if SNI is not used

feat: set hostname for SNI
dda35f6 
Set the hostname so that the server can use it to select the correct certificate (SNI).

1. add host parameter to TLSTransport function and set hostname SSLContext parameter
only if it was not provided as an IPV4 or IPV6 address

2. forward host from transport function call to  TLSTransport.
@jkaye2012
Copy link
Collaborator

Hey, thanks for the PR.

What's the behavior if localhost is passed?

@billy34
Copy link
Author

billy34 commented Sep 3, 2024
edited
Loading

Good point but I think it is only a matter of how the server will handle it.
SNI is used to select a certificate if the server is set to handle multiple subdomains with separate certificates.
If no certificate is found with subdomain set to localhost then it won't be able to terminate the TLS handshake and refuse the connection.

If you use "localhost" as hostname, this information will only be used if you have set your local server to use TLS protocol. If so you must have provided a certificate, be it self-signed or not to secure the communication. After it depends of how the server name was defined in the certificate and if the server has been told to validate the hostname or not.

As I already check if host was provided as an IP address, I can easily reject also "localhost".

My use case
client -----(TCP over mutualTLS)------ reverse proxy (traefik) -----(TCP)------ Redis
The reverse proxy handle multiple virtual hosts with a SAN certificate for TLS and require a valid client certificate for mutual authentication.

@jkaye2012
Copy link
Collaborator

Yeah, it makes sense that this path should only kick in if someone requests TLS on localhost. I'm not sure why they would do that, or what impact SNI would have (SNI just isn't something I have much experience with at all, personally). Do you think it would be better to exempt localhost specifically, or leave it as-is? I'm just not sure if this could somehow break someone's workflow that is functional currently (and thus require a major version bump).

@billy34
Copy link
Author

billy34 commented Sep 4, 2024

hostname is just a label added to the informations sent to server during initial TLS handshake to ease the selection of proper certificate in case it handles multiple virtual hosts.
It will be set only if TLSconnection is used to connect to the server.
I could have added an additional boolean parameter such as setHostname but I didn't want to alter the parameters of the user facing functions to reduce the probability of incompatible change.
It is easy to exempt also localhost and I can provide a commit if it is better.

@jkaye2012
Copy link
Collaborator

Okay, let's go with this as-is then. I agree that a boolean parameter is not the way.

@jkaye2012 jkaye2012 merged commit 0347f25 into JuliaDatabases:master Sep 4, 2024
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@billy34 @jkaye2012