Hi Shayan,
this seems like an uncommon usage for an HTTP client. Basically you want to
connect to a server that presents a certificate for the wrong host name.
This is unsupported out of the box because it would be an unsafe thing to
do in general.
The way you tried it does not work because the server name is later
overwritten by the actual host name. It might work if you turn off
akka-http's own SNI support by setting `ssl-config.loose.disableSNI = true`.
Johannes
On Monday, June 19, 2017 at 6:33:07 AM UTC+2, sha...@leaprail.com wrote:
>
> I am trying to connect to internal microservices using the akka-http
> client-side HTTPS support.
>
> These secure microservices are hosted behind a proxy (HAProxy in tcp mode
> passing TLS traffic through) with traffic routed to the appropriate service
> through TLS SNI.
>
> In order to have akka-http properly connect to the services, we need to be
> able to set the TLS extension servername in ClientHello (SNI) to be
> different from the host in the URL it is connecting to.
>
> Let's say the microservice has a certificate for "bar.com" and the proxy
> is listening on "foo.com". We have setup proxy such that if the SNI in
> TLS handshake is set to "bar.com" when connecting to "foo.com", it
> properly routes traffic to the right place. We can verify this easily using
> openssl with -servername argument:
>
> openssl s_client -showcerts -servername bar.com -connect foo.com:443
>
> When we try to attain the same outcome using akka-http, we are not able to
> alter the SNI in the TLS ClientHello trying something like this:
>
> // sslContext created with internal CA Root loaded into the trust store
> val params = sslContext.getDefaultSSLParameters
> val serverName: SNIHostName = new SNIHostName("bar.com")
> val serverNames = new java.util.ArrayList[SNIServerName](1)
> serverNames.add(serverName)
> params.setServerNames(serverNames)
> val ctx = ConnectionContext.https(sslContext, sslParameters = Some(params))
> Http(system).cachedHostConnectionPoolHttps[ActorRef](host = "foo.com",
> port = 443, connectionContext = ctx)
>
> the client still uses the value in host (foo.com) for SNI and fails to
> get routed to the correct service.
>
> Any idea how this can be accomplished?
>
> Many thanks in advance,
> Shayan
>
>
--
>>>>>>>>>> Read the docs: http://akka.io/docs/
>>>>>>>>>> Check the FAQ:
>>>>>>>>>> http://doc.akka.io/docs/akka/current/additional/faq.html
>>>>>>>>>> Search the archives: https://groups.google.com/group/akka-user
---
You received this message because you are subscribed to the Google Groups "Akka
User List" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to akka-user+unsubscr...@googlegroups.com.
To post to this group, send email to akka-user@googlegroups.com.
Visit this group at https://groups.google.com/group/akka-user.
For more options, visit https://groups.google.com/d/optout.
