fix: relaxed SNI hostname resolution (#197)

When establishing TLS connections, SNI resolution may fail if the
configured altHostname contains `_` or any other characters not allowed
by domain name standards (i.e. letters, digits and hyphens).

This change introduces a relaxed SNI resolution strategy which ignores
the LDH rules completely. Because this change goes hand in hand with
auth. via certificates, I was able to reproduce the issue only via UTs.
At this point the official Coder releases supports only auth. via API
keys.

Author: fioan89

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## Unreleased
 
+### Fixed
+
+- relaxed SNI hostname resolution
+
 ## 0.6.5 - 2025-09-16
 
 ### Fixed

gradle.properties

@@ -1,3 +1,3 @@
-version=0.6.5
+version=0.6.6
 group=com.coder.toolbox
 name=coder-toolbox

src/main/kotlin/com/coder/toolbox/util/TLS.kt

@@ -4,8 +4,10 @@ import com.coder.toolbox.settings.ReadOnlyTLSSettings
 import okhttp3.internal.tls.OkHostnameVerifier
 import java.io.File
 import java.io.FileInputStream
+import java.net.IDN
 import java.net.InetAddress
 import java.net.Socket
+import java.nio.charset.StandardCharsets
 import java.security.KeyFactory
 import java.security.KeyStore
 import java.security.cert.CertificateException
@@ -18,11 +20,12 @@ import java.util.Locale
 import javax.net.ssl.HostnameVerifier
 import javax.net.ssl.KeyManager
 import javax.net.ssl.KeyManagerFactory
-import javax.net.ssl.SNIHostName
+import javax.net.ssl.SNIServerName
 import javax.net.ssl.SSLContext
 import javax.net.ssl.SSLSession
 import javax.net.ssl.SSLSocket
 import javax.net.ssl.SSLSocketFactory
+import javax.net.ssl.StandardConstants
 import javax.net.ssl.TrustManager
 import javax.net.ssl.TrustManagerFactory
 import javax.net.ssl.X509TrustManager
@@ -83,11 +86,13 @@ fun sslContextFromPEMs(
 
 fun coderSocketFactory(settings: ReadOnlyTLSSettings): SSLSocketFactory {
     val sslContext = sslContextFromPEMs(settings.certPath, settings.keyPath, settings.caPath)
-    if (settings.altHostname.isNullOrBlank()) {
+
+    val altHostname = settings.altHostname
+    if (altHostname.isNullOrBlank()) {
         return sslContext.socketFactory
     }
 
-    return AlternateNameSSLSocketFactory(sslContext.socketFactory, settings.altHostname)
+    return AlternateNameSSLSocketFactory(sslContext.socketFactory, altHostname)
 }
 
 fun coderTrustManagers(tlsCAPath: String?): Array<TrustManager> {
@@ -111,7 +116,7 @@ fun coderTrustManagers(tlsCAPath: String?): Array<TrustManager> {
     return trustManagerFactory.trustManagers.map { MergedSystemTrustManger(it as X509TrustManager) }.toTypedArray()
 }
 
-class AlternateNameSSLSocketFactory(private val delegate: SSLSocketFactory, private val alternateName: String?) :
+class AlternateNameSSLSocketFactory(private val delegate: SSLSocketFactory, private val alternateName: String) :
     SSLSocketFactory() {
     override fun getDefaultCipherSuites(): Array<String> = delegate.defaultCipherSuites
 
@@ -176,12 +181,19 @@ class AlternateNameSSLSocketFactory(private val delegate: SSLSocketFactory, priv
 
     private fun customizeSocket(socket: SSLSocket) {
         val params = socket.sslParameters
-        params.serverNames = listOf(SNIHostName(alternateName))
+
+        params.serverNames = listOf(RelaxedSNIHostname(alternateName))
         socket.sslParameters = params
     }
 }
 
+private class RelaxedSNIHostname(hostname: String) : SNIServerName(
+    StandardConstants.SNI_HOST_NAME,
+    IDN.toASCII(hostname, 0).toByteArray(StandardCharsets.UTF_8)
+)
+
 class CoderHostnameVerifier(private val alternateName: String?) : HostnameVerifier {
+
     override fun verify(
         host: String,
         session: SSLSession,

src/test/kotlin/com/coder/toolbox/util/AlternateNameSSLSocketFactoryTest.kt

@@ -0,0 +1,237 @@
+package com.coder.toolbox.util
+
+import io.mockk.Runs
+import io.mockk.every
+import io.mockk.just
+import io.mockk.mockk
+import io.mockk.verify
+import java.net.InetAddress
+import java.net.Socket
+import javax.net.ssl.SSLParameters
+import javax.net.ssl.SSLSocket
+import javax.net.ssl.SSLSocketFactory
+import kotlin.test.Test
+import kotlin.test.assertEquals
+import kotlin.test.assertNotNull
+import kotlin.test.assertSame
+
+
+class AlternateNameSSLSocketFactoryTest {
+
+    @Test
+    fun `createSocket with no parameters should customize socket with alternate name`() {
+        // Given
+        val mockFactory = mockk<SSLSocketFactory>()
+        val mockSocket = mockk<SSLSocket>(relaxed = true)
+        val mockParams = mockk<SSLParameters>(relaxed = true)
+
+        every { mockFactory.createSocket() } returns mockSocket
+        every { mockSocket.sslParameters } returns mockParams
+        every { mockSocket.sslParameters = any() } just Runs
+
+        val alternateFactory = AlternateNameSSLSocketFactory(mockFactory, "alternate.example.com")
+
+        // When
+        val result = alternateFactory.createSocket()
+
+        // Then
+        verify { mockSocket.sslParameters = any() }
+        assertSame(mockSocket, result)
+    }
+
+    @Test
+    fun `createSocket with host and port should customize socket with alternate name`() {
+        // Given
+        val mockFactory = mockk<SSLSocketFactory>()
+        val mockSocket = mockk<SSLSocket>(relaxed = true)
+        val mockParams = mockk<SSLParameters>(relaxed = true)
+
+        every { mockFactory.createSocket("original.com", 443) } returns mockSocket
+        every { mockSocket.sslParameters } returns mockParams
+        every { mockSocket.sslParameters = any() } just Runs
+
+        val alternateFactory = AlternateNameSSLSocketFactory(mockFactory, "alternate.example.com")
+
+        // When
+        val result = alternateFactory.createSocket("original.com", 443)
+
+        // Then
+        verify { mockSocket.sslParameters = any() }
+        assertSame(mockSocket, result)
+    }
+
+    @Test
+    fun `createSocket with host port and local address should customize socket`() {
+        // Given
+        val mockFactory = mockk<SSLSocketFactory>()
+        val mockSocket = mockk<SSLSocket>(relaxed = true)
+        val mockParams = mockk<SSLParameters>(relaxed = true)
+        val localHost = mockk<InetAddress>()
+
+        every { mockFactory.createSocket("original.com", 443, localHost, 8080) } returns mockSocket
+        every { mockSocket.sslParameters } returns mockParams
+        every { mockSocket.sslParameters = any() } just Runs
+
+        val alternateFactory = AlternateNameSSLSocketFactory(mockFactory, "alternate.example.com")
+
+        // When
+        val result = alternateFactory.createSocket("original.com", 443, localHost, 8080)
+
+        // Then
+        verify { mockSocket.sslParameters = any() }
+        assertSame(mockSocket, result)
+    }
+
+    @Test
+    fun `createSocket with InetAddress should customize socket with alternate name`() {
+        // Given
+        val mockFactory = mockk<SSLSocketFactory>()
+        val mockSocket = mockk<SSLSocket>(relaxed = true)
+        val mockParams = mockk<SSLParameters>(relaxed = true)
+        val address = mockk<InetAddress>()
+
+        every { mockFactory.createSocket(address, 443) } returns mockSocket
+        every { mockSocket.sslParameters } returns mockParams
+        every { mockSocket.sslParameters = any() } just Runs
+
+        val alternateFactory = AlternateNameSSLSocketFactory(mockFactory, "alternate.example.com")
+
+        // When
+        val result = alternateFactory.createSocket(address, 443)
+
+        // Then
+        verify { mockSocket.sslParameters = any() }
+        assertSame(mockSocket, result)
+    }
+
+    @Test
+    fun `createSocket with InetAddress and local address should customize socket`() {
+        // Given
+        val mockFactory = mockk<SSLSocketFactory>()
+        val mockSocket = mockk<SSLSocket>(relaxed = true)
+        val mockParams = mockk<SSLParameters>(relaxed = true)
+        val address = mockk<InetAddress>()
+        val localAddress = mockk<InetAddress>()
+
+        every { mockFactory.createSocket(address, 443, localAddress, 8080) } returns mockSocket
+        every { mockSocket.sslParameters } returns mockParams
+        every { mockSocket.sslParameters = any() } just Runs
+
+        val alternateFactory = AlternateNameSSLSocketFactory(mockFactory, "alternate.example.com")
+
+        // When
+        val result = alternateFactory.createSocket(address, 443, localAddress, 8080)
+
+        // Then
+        verify { mockSocket.sslParameters = any() }
+        assertSame(mockSocket, result)
+    }
+
+    @Test
+    fun `createSocket with existing socket should customize socket with alternate name`() {
+        // Given
+        val mockFactory = mockk<SSLSocketFactory>()
+        val mockSSLSocket = mockk<SSLSocket>(relaxed = true)
+        val mockParams = mockk<SSLParameters>(relaxed = true)
+        val existingSocket = mockk<Socket>()
+
+        every { mockFactory.createSocket(existingSocket, "original.com", 443, true) } returns mockSSLSocket
+        every { mockSSLSocket.sslParameters } returns mockParams
+        every { mockSSLSocket.sslParameters = any() } just Runs
+
+        val alternateFactory = AlternateNameSSLSocketFactory(mockFactory, "alternate.example.com")
+
+        // When
+        val result = alternateFactory.createSocket(existingSocket, "original.com", 443, true)
+
+        // Then
+        verify { mockSSLSocket.sslParameters = any() }
+        assertSame(mockSSLSocket, result)
+    }
+
+    @Test
+    fun `customizeSocket should set SNI hostname to alternate name for valid hostname`() {
+        // Given
+        val mockFactory = mockk<SSLSocketFactory>()
+        val mockSocket = mockk<SSLSocket>(relaxed = true)
+        val mockParams = mockk<SSLParameters>(relaxed = true)
+
+        every { mockFactory.createSocket() } returns mockSocket
+        every { mockSocket.sslParameters } returns mockParams
+        every { mockSocket.sslParameters = any() } just Runs
+
+        val alternateFactory = AlternateNameSSLSocketFactory(mockFactory, "valid-hostname.example.com")
+
+        // When & Then - This should work without throwing an exception
+        assertNotNull(alternateFactory.createSocket())
+        verify { mockSocket.sslParameters = any() }
+    }
+
+    @Test
+    fun `customizeSocket should NOT throw IllegalArgumentException for hostname with underscore`() {
+        // Given
+        val mockFactory = mockk<SSLSocketFactory>()
+        val mockSocket = mockk<SSLSocket>(relaxed = true)
+        val mockParams = mockk<SSLParameters>(relaxed = true)
+
+        every { mockFactory.createSocket() } returns mockSocket
+        every { mockSocket.sslParameters } returns mockParams
+        every { mockSocket.sslParameters = any() } just Runs
+
+        val alternateFactory = AlternateNameSSLSocketFactory(mockFactory, "non_compliant_hostname.example.com")
+
+        // When & Then - This should work without throwing an exception
+        assertNotNull(alternateFactory.createSocket())
+        verify { mockSocket.sslParameters = any() }
+        assertEquals(0, mockSocket.sslParameters.serverNames.size)
+    }
+
+    @Test
+    fun `createSocket should work with valid international domain names`() {
+        // Given
+        val mockFactory = mockk<SSLSocketFactory>()
+        val mockSocket = mockk<SSLSocket>(relaxed = true)
+        val mockParams = mockk<SSLParameters>(relaxed = true)
+
+        every { mockFactory.createSocket() } returns mockSocket
+        every { mockSocket.sslParameters } returns mockParams
+        every { mockSocket.sslParameters = any() } just Runs
+
+        val alternateFactory = AlternateNameSSLSocketFactory(mockFactory, "test-server.example.com")
+
+        // When & Then - This should work as hyphens are valid
+        assertNotNull(alternateFactory.createSocket())
+        verify { mockSocket.sslParameters = any() }
+    }
+
+    private fun createMockSSLSocketFactory(): SSLSocketFactory {
+        val mockFactory = mockk<SSLSocketFactory>()
+        val mockSocket = mockk<SSLSocket>(relaxed = true)
+        val mockParams = mockk<SSLParameters>(relaxed = true)
+
+        // Setup default behavior
+        every { mockFactory.defaultCipherSuites } returns arrayOf("TLS_AES_256_GCM_SHA384")
+        every { mockFactory.supportedCipherSuites } returns arrayOf("TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256")
+
+        // Make all createSocket methods return our mock socket
+        every { mockFactory.createSocket() } returns mockSocket
+        every { mockFactory.createSocket(any<String>(), any<Int>()) } returns mockSocket
+        every { mockFactory.createSocket(any<String>(), any<Int>(), any<InetAddress>(), any<Int>()) } returns mockSocket
+        every { mockFactory.createSocket(any<InetAddress>(), any<Int>()) } returns mockSocket
+        every {
+            mockFactory.createSocket(
+                any<InetAddress>(),
+                any<Int>(),
+                any<InetAddress>(),
+                any<Int>()
+            )
+        } returns mockSocket
+        every { mockFactory.createSocket(any<Socket>(), any<String>(), any<Int>(), any<Boolean>()) } returns mockSocket
+
+        // Setup SSL parameters
+        every { mockSocket.sslParameters } returns mockParams
+        every { mockSocket.sslParameters = any() } just Runs
+
+        return mockFactory
+    }
+}