Support SNI (#19)

Add support to easily add SNI to your HTTPS server.

Author: jpage-godaddy

README.md

@@ -27,6 +27,7 @@ a node-style callback. The config object must have at minimum an `http` or
 | `https.key`               | PEM/file path for the server's private key. See [Certificate normalization](#certificate-normalization) for more details. |
 | `https.cert`              | PEM/file path(s) for the server's certificate. See [Certificate normalization](#certificate-normalization) for more details. |
 | `https.ca`                | Cert or array of certs specifying trusted authorities for peer certificates. Only required if your server accepts client certificate connections signed by authorities that are not trusted by default. See [Certificate normalization](#certificate-normalization) for more details. |
+| `https.sni`               | See [SNI Support](#sni-support). |
 | `https.handler`           | Handler for HTTPS requests. If you want to share a handler with all servers, use a top-level `handler` config property instead. |
 | `https.*`                 | Any other properties supported by [https.createServer](https://nodejs.org/dist/latest-v8.x/docs/api/https.html#https_https_createserver_options_requestlistener) can be added to the https object, except `secureProtocol` and `secureOptions` which are set to recommended values. |
 
@@ -38,7 +39,7 @@ following properties:
 | `http`   | The HTTP server that was created, if any |
 | `https`  | The HTTPS server that was created, if any |
 
-### Certificate normalization
+### Certificate Normalization
 
 `create-servers` provides some conveniences for `https.ca`, `https.key`, and 
 `https.cert` config properties. You may use PEM data directly (inside a `Buffer`
@@ -99,6 +100,61 @@ createServers({
 })
 ```
 
+### SNI Support
+
+[Server Name Indication](https://en.wikipedia.org/wiki/Server_Name_Indication),
+or SNI, lets HTTPS clients announce which hostname they wish to connect to
+before the server sends its certificate, enabling the use of the same server for
+multiple hosts. Although `SNICallback` can be used to support this, you lose the
+convenient certificate normalization provided by `create-servers`. The `sni`
+config option provides an easier way.
+
+The `sni` option is an object with each key being a supported hostname and each
+value being a subset of the HTTPS settings listed above. HTTPS settings defined
+at the top level are used as defaults for the hostname-specific settings.
+
+```js
+const createServers = require('create-servers');
+
+createServers(
+  {
+    https: {
+      port: 443,
+      sni: {
+        'example1.com': {
+          key: '/certs/private/example1.com.key',
+          cert: '/certs/public/example1.com.crt'
+        },
+        'example2.com': {
+          key: '/certs/private/example2.com.key',
+          cert: '/certs/public/example2.com.crt'
+        }
+      }
+    },
+    handler: function (req, res) {
+      res.end('Hello');
+    }
+  },
+  function (errs) {
+    if (errs) {
+      return console.log(errs.https);
+    }
+
+    console.log('Listening on 443');
+  }
+);
+```
+
+Use `*` in the hostname for wildcard certs. Example: `*.example.com`. The
+following settings are supported in the host-specific configuration:
+
+* key
+* cert
+* ca
+* ciphers
+* honorCipherOrder
+* Anything else supported by [`tls.createSecureContext`](https://nodejs.org/dist/latest-v8.x/docs/api/tls.html#tls_tls_createsecurecontext_options)
+
 ## NOTE on Security
 Inspired by [`iojs`][iojs] and a well written [article][article], we have defaulted
 our [ciphers][ciphers] to support "perfect-forward-security" as well as removing insecure

index.js

@@ -10,7 +10,9 @@
 var fs = require('fs'),
     http = require('http'),
     https = require('https'),
+    tls = require('tls'),
     path = require('path'),
+    constants = require('constants'),
     connected = require('connected'),
     errs = require('errs'),
     assign = require('object-assign');
@@ -36,6 +38,8 @@ var CIPHERS = [
   '!CAMELLIA'
 ].join(':');
 
+var secureOptions = constants.SSL_OP_NO_SSLv3;
+
 /**
  * function createServers (dispatch, options, callback)
  * Creates and listens on both HTTP and HTTPS servers.
@@ -120,52 +124,43 @@ module.exports = function createServers(options, listening) {
   // ### function createHttps ()
   // Attempts to create and listen on the HTTPS server.
   //
-  function createHttps(next) {
+  function createHttps() {
     if (typeof options.https === 'undefined') {
       log('https | no options.https; no server');
       return onListen('https');
     }
 
     var ssl  = options.https,
         port = !isNaN(ssl.port) ? +ssl.port : 443,  // accepts string or number
-        ciphers = ssl.ciphers || CIPHERS,
         timeout = options.timeout || ssl.timeout,
-        ca = ssl.ca,
         server,
         args;
 
-    //
-    // Remark: If an array is passed in lets join it like we do the defaults
-    //
-    if (Array.isArray(ciphers)) {
-      ciphers = ciphers.join(':');
-    }
-
-    if (ca && !Array.isArray(ca)) {
-      ca = [ca];
-    }
-
     var finalHttpsOptions = assign({}, ssl, {
       //
       // Load default SSL key, cert and ca(s).
       //
       key: normalizePEMContent(ssl.root, ssl.key),
       cert: normalizeCertContent(ssl.root, ssl.cert, ssl.key),
-      ca: ca && ca.map(normalizePEMContent.bind(null, ssl.root)),
+      ca: normalizeCA(ssl.root, ssl.ca),
       //
       // Properly expose ciphers for an A+ SSL rating:
       // https://certsimple.com/blog/a-plus-node-js-ssl
       //
-      ciphers: ciphers,
+      ciphers: normalizeCiphers(ssl.ciphers),
       honorCipherOrder: !!ssl.honorCipherOrder,
       //
       // Protect against the POODLE attack by disabling SSLv3
       // @see http://googleonlinesecurity.blogspot.nl/2014/10/this-poodle-bites-exploiting-ssl-30.html
       //
       secureProtocol: 'SSLv23_method',
-      secureOptions: require('constants').SSL_OP_NO_SSLv3
+      secureOptions: secureOptions
     });
 
+    if (ssl.sni && !finalHttpsOptions.SNICallback) {
+      finalHttpsOptions.SNICallback = getSNIHandler(ssl)
+    }
+
     log('https | listening on %d', port);
     server = https.createServer(finalHttpsOptions, ssl.handler || handler);
 
@@ -219,6 +214,13 @@ function normalizeCertChain(root, data) {
   return Array.isArray(content) ? content.join('\n') : content;
 }
 
+function normalizeCA(root, ca) {
+  if (ca && !Array.isArray(ca)) {
+    ca = [ca];
+  }
+  return ca && ca.map(normalizePEMContent.bind(null, root));
+}
+
 /**
  * function normalizePEMContent(root, file)
  * Returns the contents of `file` verbatim if it is determined to be
@@ -239,3 +241,59 @@ function normalizePEMContent(root, file) {
 
   return fs.readFileSync(path.resolve(root, file));
 }
+
+function normalizeCiphers(ciphers) {
+  ciphers = ciphers || CIPHERS;
+  //
+  // Remark: If an array is passed in lets join it like we do the defaults
+  //
+  if (Array.isArray(ciphers)) {
+    ciphers = ciphers.join(':');
+  }
+  return ciphers;
+}
+
+function getSNIHandler(sslOpts) {
+  var sniHosts = Object.keys(sslOpts.sni);
+
+  // Pre-compile regexps for the hostname
+  var hostRegexps = sniHosts.map(function (host) {
+    return new RegExp(
+      '^' +
+      host
+        .replace('.', '\\.')             // Match dots, not wildcards
+        .replace('*\\.', '(?:.*\\.)?') + // Handle optional wildcard sub-domains
+      '$',
+      'i'
+    );
+  });
+
+  // Prepare secure context params ahead-of-time
+  var hostTlsOpts = sniHosts.map(function (host) {
+    var hostOpts = sslOpts.sni[host];
+
+    var root = hostOpts.root || sslOpts.root;
+
+    return assign({}, sslOpts, hostOpts, {
+      key: normalizePEMContent(root, hostOpts.key),
+      cert: normalizeCertContent(root, hostOpts.cert),
+      ca: normalizeCA(root, hostOpts.ca || sslOpts.ca),
+      ciphers: normalizeCiphers(hostOpts.ciphers || sslOpts.ciphers),
+      honorCipherOrder: !!(hostOpts.honorCipherOrder || sslOpts.honorCipherOrder),
+      secureProtocol: 'SSLv23_method',
+      secureOptions: secureOptions
+    });
+  });
+
+  return function (hostname, cb) {
+    var matchingHostIdx = sniHosts.findIndex(function(candidate, i) {
+      return hostRegexps[i].test(hostname);
+    });
+
+    if (matchingHostIdx === -1) {
+      return void cb(new Error('Unrecognized hostname: ' + hostname));
+    }
+
+    cb(null, tls.createSecureContext(hostTlsOpts[matchingHostIdx]));
+  };
+}

package-lock.json

@@ -27,6 +27,7 @@
     "object-assign": "^4.1.0"
   },
   "devDependencies": {
+    "evil-dns": "^0.2.0",
     "sinon": "^5.0.7",
     "tape": "~4.9.0"
   }

package.json

@@ -7,19 +7,49 @@
 
 var path = require('path'),
     fs = require('fs'),
+    url = require('url'),
     http = require('http'),
     https = require('https'),
+    { promisify } = require('util'),
     test = require('tape'),
     sinon = require('sinon'),
+    evilDNS = require('evil-dns'),
     createServers = require('../');
 
+const createServersAsync = promisify(createServers);
+
+const ca = fs.readFileSync(path.join(__dirname, './fixtures/example-ca-cert.pem'));
+
 //
 // Immediately end a response.
 //
 function fend(req, res) {
   res.end();
 }
 
+//
+// Request and download response from a URL
+//
+async function download(httpsURL) {
+  return new Promise((resolve, reject) => {
+    const req = https.get({
+      ...url.parse(httpsURL),
+      ca
+    }, res => {
+      const chunks = [];
+      res
+        .on('data', chunk => chunks.push(chunk))
+        .once('end', () => {
+          resolve(chunks.map(chunk => chunk.toString('utf8')).join(''));
+        })
+        .once('aborted', reject)
+        .once('close', reject)
+        .once('error', reject)
+    });
+    req.once('error', reject);
+  });
+}
+
 test('only http', function (t) {
   t.plan(3);
   createServers({
@@ -321,3 +351,58 @@ test('supports requestCert https option', function (t) {
     spy.restore();
   });
 });
+
+test('supports SNI', async t => {
+  t.plan(1);
+
+  const hostNames = [
+    'example.com',
+    'example.net',
+    'foo.example.org',
+  ];
+
+  let httpsServer;
+  try {
+    const servers = await createServersAsync({
+      https: {
+        port: 3456,
+        root: path.join(__dirname, 'fixtures'),
+        sni: {
+          'example.com': {
+            key: 'example-com-key.pem',
+            cert: 'example-com-cert.pem'
+          },
+          'example.net': {
+            key: 'example-net-key.pem',
+            cert: 'example-net-cert.pem'
+          },
+          '*.example.org': {
+            key: 'example-org-key.pem',
+            cert: 'example-org-cert.pem'
+          }
+        }
+      },
+      handler: (req, res) => {
+        res.write('Hello');
+        res.end();
+      }
+    });
+    httpsServer = servers.https;
+
+    hostNames.forEach(host => evilDNS.add(host, '0.0.0.0'));
+
+    const responses = await Promise.all(hostNames
+      .map(hostname => download(`https://${hostname}:3456/`)));
+
+    t.equals(
+      responses.every(str => str === 'Hello'),
+      true,
+      'responses are as expected');
+
+  } catch (err) {
+    return void t.error(err);
+  } finally {
+    httpsServer && httpsServer.close();
+    evilDNS.clear();
+  }
+});

test/create-servers-test.js

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDAjCCAeoCCQDYRRRzyGC6DTANBgkqhkiG9w0BAQsFADBDMQswCQYDVQQGEwJV
+UzEVMBMGA1UECgwMRXhhbXBsZSwgTExDMR0wGwYDVQQDDBRFeGFtcGxlLCBMTEMg
+Um9vdCBDQTAeFw0xODA3MTYyMjA0MjNaFw0zMjAzMjQyMjA0MjNaMEMxCzAJBgNV
+BAYTAlVTMRUwEwYDVQQKDAxFeGFtcGxlLCBMTEMxHTAbBgNVBAMMFEV4YW1wbGUs
+IExMQyBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA26Od
+pa6GI2pdRHPgNJzMJdgs9ZQ7i9g4/U3n15xifAGNsGXQc7dgfe22fCdJ4YJBdCHK
+ikPQF5thS1iu4Sn03yMHj8QapPThAsgI5Xe43eoFqpCghsD27J3efsv+gncrxW8q
+i37o3vSmaom5gUTjY42l0WP0bN/Ehkeptz5TlhbKEfSq30oZFbh68BnTKU1p3ai6
+j7iHnervoHDlAWzI0QUTn/DufDyMOT2+AUUso6ElZsk+aqlmE7ZcYmVjwKKd82ZC
+k16tJQAyKvZSosQWPokH5uKSV64GJHJElE6l1GzNxrIAGocLeowF8fcZUvcNSXO9
+ZUYWccipgOalYyJyIwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAkLI/zlkuR0Suj
+/mWlAnxQee38bAA03phidFpVczoCM/EP9TtekK90ML0BGK49EvwyD0MJQh832G6s
+JKFL4rQFW7PfCyejIxyrn+p2tIfArEYbmxoLlfkWiBTT+y4Cpq3q72z8WDVRuMTR
+qaIClkyJ5RcNWOTV0rZFKrqm4Hu+O+3LWwxk6eoGb7M6cUqCSWnw71zX71SwnGuL
+5pzEbUaovJN7Q2TCnqiBxcGF0ukhovWnN37ZT41OPi1Fz6sCG5BDDxEaB3xAWY9k
+15uhxhqwRdYB7fDBuY51F02uUrA9weDFvN0kqfNwn0HRi6ptCqA0kuIBIqMqWhUz
+7o1jaXrK
+-----END CERTIFICATE-----