[akka-user] akka-http - Setting TLS Server Name Indicator (SNI) explicitly for Client-Side HTTPS

Sun, 18 Jun 2017 21:33:35 -0700 

I am trying to connect to internal microservices using the akka-http 
client-side HTTPS support.

These secure microservices are hosted behind a proxy (HAProxy in tcp mode 
passing TLS traffic through) with traffic routed to the appropriate service 
through TLS SNI.

In order to have akka-http properly connect to the services, we need to be 
able to set the TLS extension servername in ClientHello (SNI) to be 
different from the host in the URL it is connecting to. 

Let's say the microservice has a certificate for "bar.com" and the proxy is 
listening on "foo.com". We have setup proxy such that if the SNI in TLS 
handshake is set to "bar.com" when connecting to "foo.com", it properly 
routes traffic to the right place. We can verify this easily using openssl 
with -servername argument:

openssl s_client -showcerts -servername bar.com -connect foo.com:443

When we try to attain the same outcome using akka-http, we are not able to 
alter the SNI in the TLS ClientHello trying something like this:

// sslContext created with internal CA Root loaded into the trust store
val params = sslContext.getDefaultSSLParameters
val serverName: SNIHostName = new SNIHostName("bar.com")
val serverNames = new java.util.ArrayList[SNIServerName](1)
serverNames.add(serverName)
params.setServerNames(serverNames)
val ctx = ConnectionContext.https(sslContext, sslParameters = Some(params))
Http(system).cachedHostConnectionPoolHttps[ActorRef](host = "foo.com", port 
= 443, connectionContext = ctx)

the client still uses the value in host (foo.com) for SNI and fails to get 
routed to the correct service.

Any idea how this can be accomplished?

Many thanks in advance,
Shayan

-- 
>>>>>>>>>>      Read the docs: http://akka.io/docs/
>>>>>>>>>>      Check the FAQ: 
>>>>>>>>>> http://doc.akka.io/docs/akka/current/additional/faq.html
>>>>>>>>>>      Search the archives: https://groups.google.com/group/akka-user
--- 
You received this message because you are subscribed to the Google Groups "Akka 
User List" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/akka-user.
For more options, visit https://groups.google.com/d/optout.

Reply via email to