Support SNI during TLS handshake

Author: dajudge

proxybase/src/main/java/com/dajudge/proxybase/DownstreamSslHandlerFactory.java

@@ -20,54 +20,76 @@
 import com.dajudge.proxybase.certs.Filesystem;
 import com.dajudge.proxybase.certs.KeyStoreManager;
 import com.dajudge.proxybase.config.DownstreamSslConfig;
+import com.dajudge.proxybase.config.Endpoint;
+import io.netty.channel.Channel;
 import io.netty.channel.ChannelHandler;
-import io.netty.handler.ssl.SslHandler;
+import io.netty.channel.socket.SocketChannel;
+import io.netty.handler.ssl.SslContext;
+import io.netty.handler.ssl.SslContextBuilder;
 
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLEngine;
-import javax.net.ssl.X509TrustManager;
+import javax.net.ssl.*;
 import java.security.KeyManagementException;
 import java.security.NoSuchAlgorithmException;
 import java.util.Optional;
+import java.util.function.Function;
 import java.util.function.Supplier;
 
 import static com.dajudge.proxybase.HostnameCheck.NULL_VERIFIER;
-import static com.dajudge.proxybase.SslUtils.createKeyManagers;
-import static com.dajudge.proxybase.SslUtils.createTrustManagers;
+import static com.dajudge.proxybase.SslUtils.*;
 import static com.dajudge.proxybase.certs.ReloadingKeyStoreManager.createReloader;
 
 public class DownstreamSslHandlerFactory {
-    public static ChannelHandler createDownstreamSslHandler(
+    public static Function<Channel, ChannelHandler> createDownstreamSslHandler(
             final DownstreamSslConfig config,
-            final String downstreamHostname,
+            final Endpoint downstreamEndpoint,
             final Supplier<Long> clock,
             final Filesystem filesystem
-            ) {
+    ) {
         final HostnameCheck hostnameCheck = config.isHostnameVerificationEnabled()
-                ? new HttpClientHostnameCheck(downstreamHostname)
+                ? new HttpClientHostnameCheck(downstreamEndpoint.getHost())
                 : NULL_VERIFIER;
         return createDownstreamSslHandler(
                 hostnameCheck,
                 createReloader(config.getTrustStore(), clock, filesystem),
-                config.getKeyStore().map(it -> createReloader(it, clock, filesystem))
+                config.getKeyStore().map(it -> createReloader(it, clock, filesystem)),
+                Optional.of(downstreamEndpoint)
         );
     }
 
-    public static ChannelHandler createDownstreamSslHandler(
+    public static Function<Channel, ChannelHandler> createDownstreamSslHandler(
             final HostnameCheck hostnameCheck,
             final KeyStoreManager trustStoreManager,
-            final Optional<KeyStoreManager> keyStoreManager
+            final Optional<KeyStoreManager> keyStoreManager,
+            final Optional<Endpoint> peerEndpoint
     ) {
         try {
             final SSLContext clientContext = SSLContext.getInstance("TLS");
+            final HostCheckingTrustManager trustManager = new HostCheckingTrustManager(
+                    createTrustManagers(trustStoreManager),
+                    hostnameCheck
+            );
             final X509TrustManager[] trustManagers = {
-                    new HostCheckingTrustManager(createTrustManagers(trustStoreManager), hostnameCheck)
+                    trustManager
             };
-            clientContext.init(createKeyManagers(keyStoreManager), trustManagers, null);
-            final SSLEngine engine = clientContext.createSSLEngine();
+            final X509KeyManager[] keyManagers = createKeyManagers(keyStoreManager);
+            clientContext.init(keyManagers, trustManagers, null);
+            final SSLEngine engine = peerEndpoint
+                    .map(it -> clientContext.createSSLEngine(it.getHost(), it.getPort()))
+                    .orElse(clientContext.createSSLEngine());
             engine.setUseClientMode(true);
-            return new SslHandler(engine);
-        } catch (final NoSuchAlgorithmException | KeyManagementException e) {
+            final SslContext context = SslContextBuilder.forClient()
+                    .keyManager(createKeyManagerFactory(keyStoreManager))
+                    .trustManager(trustManager)
+                    .build();
+            if (peerEndpoint.isPresent()) {
+                return ch -> {
+                    final Endpoint endpoint = peerEndpoint.get();
+                    return context.newHandler(ch.alloc(), endpoint.getHost(), endpoint.getPort());
+                };
+            } else {
+                return ch -> context.newHandler(ch.alloc());
+            }
+        } catch (final NoSuchAlgorithmException | KeyManagementException | SSLException e) {
             throw new RuntimeException("Failed to initialize downstream SSL handler", e);
         }
     }

proxybase/src/main/java/com/dajudge/proxybase/SslUtils.java

@@ -58,18 +58,26 @@ static X509KeyManager[] createKeyManagers(final KeyStoreManager keyStoreManager)
     }
 
     static X509KeyManager[] createKeyManagers(final Optional<KeyStoreManager> keyStoreManager) {
+        if (!keyStoreManager.isPresent()) {
+            return new X509KeyManager[]{};
+        }
+        return Arrays.stream(createKeyManagerFactory(keyStoreManager).getKeyManagers())
+                .filter(it -> it instanceof X509KeyManager)
+                .map(it -> (X509KeyManager) it)
+                .toArray(X509KeyManager[]::new);
+    }
+
+    public static KeyManagerFactory createKeyManagerFactory(final Optional<KeyStoreManager> keyStoreManager) {
         try {
-            if (!keyStoreManager.isPresent()) {
-                return new X509KeyManager[]{};
-            }
             final KeyManagerFactory factory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
-            final KeyStoreManager keyStoreWrapper = keyStoreManager.get();
-            final KeyStoreWrapper keyStore = keyStoreWrapper.getKeyStore();
-            factory.init(keyStore.getKeyStore(), keyStore.getKeyPassword());
-            return Arrays.stream(factory.getKeyManagers())
-                    .filter(it -> it instanceof X509KeyManager)
-                    .map(it -> (X509KeyManager) it)
-                    .toArray(X509KeyManager[]::new);
+            if (keyStoreManager.isPresent()) {
+                final KeyStoreManager keyStoreWrapper = keyStoreManager.get();
+                final KeyStoreWrapper keyStore = keyStoreWrapper.getKeyStore();
+                factory.init(keyStore.getKeyStore(), keyStore.getKeyPassword());
+            } else {
+                factory.init(null, null);
+            }
+            return factory;
         } catch (final UnrecoverableKeyException | KeyStoreException | NoSuchAlgorithmException e) {
             throw new RuntimeException("Failed to setup key manager", e);
         }

proxybase/src/test/java/com/dajudge/proxybase/util/TestSslConfiguration.java

@@ -204,8 +204,9 @@ public void configureDownstreamPipeline(final ChannelPipeline pipeline) {
                     createDownstreamSslHandler(
                             HostnameCheck.NULL_VERIFIER,
                             clientTrustStoreManager,
-                            Optional.ofNullable(getClientKeyStoreManager())
-                    )
+                            Optional.ofNullable(getClientKeyStoreManager()),
+                            Optional.empty()
+                    ).apply(pipeline.channel())
             );
         }