This is an automated email from the ASF dual-hosted git repository.
penghui pushed a commit to branch branch-2.11
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/branch-2.11 by this push:
new d2438389fe2 [fix][admin] Add SNI header when tlsHostnameVerification
is not enabled (#17543)
d2438389fe2 is described below
commit d2438389fe2d572ef67a76a9cc954e93d71700c9
Author: Yang Yang <[email protected]>
AuthorDate: Wed Sep 14 17:55:10 2022 +0800
[fix][admin] Add SNI header when tlsHostnameVerification is not enabled
(#17543)
(cherry picked from commit 99b52ebfcbcd97793c49e4b64596108b480f55b3)
---
.../admin/internal/http/AsyncHttpConnector.java | 5 +++
.../org/apache/pulsar/client/impl/HttpClient.java | 5 +++
.../client/util/WithSNISslEngineFactory.java | 42 ++++++++++++++++++++++
3 files changed, 52 insertions(+)
diff --git
a/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/http/AsyncHttpConnector.java
b/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/http/AsyncHttpConnector.java
index 4595d6fd54d..ea00930e546 100644
---
a/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/http/AsyncHttpConnector.java
+++
b/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/http/AsyncHttpConnector.java
@@ -51,6 +51,7 @@ import
org.apache.pulsar.client.api.AuthenticationDataProvider;
import org.apache.pulsar.client.api.KeyStoreParams;
import org.apache.pulsar.client.impl.PulsarServiceNameResolver;
import org.apache.pulsar.client.impl.conf.ClientConfigurationData;
+import org.apache.pulsar.client.util.WithSNISslEngineFactory;
import org.apache.pulsar.common.util.FutureUtil;
import org.apache.pulsar.common.util.SecurityUtility;
import org.apache.pulsar.common.util.keystoretls.KeyStoreSSLContext;
@@ -171,6 +172,10 @@ public class AsyncHttpConnector implements Connector {
conf.getTlsProtocols());
}
confBuilder.setSslContext(sslCtx);
+ if (!conf.isTlsHostnameVerificationEnable()) {
+ confBuilder.setSslEngineFactory(new
WithSNISslEngineFactory(serviceNameResolver
+ .resolveHostUri().getHost()));
+ }
}
}
confBuilder.setDisableHttpsEndpointIdentificationAlgorithm(!conf.isTlsHostnameVerificationEnable());
diff --git
a/pulsar-client/src/main/java/org/apache/pulsar/client/impl/HttpClient.java
b/pulsar-client/src/main/java/org/apache/pulsar/client/impl/HttpClient.java
index 5d22a9bef1f..68082f65be6 100644
--- a/pulsar-client/src/main/java/org/apache/pulsar/client/impl/HttpClient.java
+++ b/pulsar-client/src/main/java/org/apache/pulsar/client/impl/HttpClient.java
@@ -43,6 +43,7 @@ import org.apache.pulsar.client.api.KeyStoreParams;
import org.apache.pulsar.client.api.PulsarClientException;
import org.apache.pulsar.client.api.PulsarClientException.NotFoundException;
import org.apache.pulsar.client.impl.conf.ClientConfigurationData;
+import org.apache.pulsar.client.util.WithSNISslEngineFactory;
import org.apache.pulsar.common.util.ObjectMapperFactory;
import org.apache.pulsar.common.util.SecurityUtility;
import org.apache.pulsar.common.util.keystoretls.KeyStoreSSLContext;
@@ -140,6 +141,10 @@ public class HttpClient implements Closeable {
conf.getTlsProtocols());
}
confBuilder.setSslContext(sslCtx);
+ if (!conf.isTlsHostnameVerificationEnable()) {
+ confBuilder.setSslEngineFactory(new
WithSNISslEngineFactory(serviceNameResolver
+ .resolveHostUri().getHost()));
+ }
}
confBuilder.setUseInsecureTrustManager(conf.isTlsAllowInsecureConnection());
diff --git
a/pulsar-client/src/main/java/org/apache/pulsar/client/util/WithSNISslEngineFactory.java
b/pulsar-client/src/main/java/org/apache/pulsar/client/util/WithSNISslEngineFactory.java
new file mode 100644
index 00000000000..965a7f2aec3
--- /dev/null
+++
b/pulsar-client/src/main/java/org/apache/pulsar/client/util/WithSNISslEngineFactory.java
@@ -0,0 +1,42 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.pulsar.client.util;
+
+import java.util.Collections;
+import javax.net.ssl.SNIHostName;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLParameters;
+import org.asynchttpclient.AsyncHttpClientConfig;
+import org.asynchttpclient.netty.ssl.DefaultSslEngineFactory;
+
+public class WithSNISslEngineFactory extends DefaultSslEngineFactory {
+ private final String host;
+
+ public WithSNISslEngineFactory(String host) {
+ this.host = host;
+ }
+
+ @Override
+ protected void configureSslEngine(SSLEngine sslEngine,
AsyncHttpClientConfig config) {
+ super.configureSslEngine(sslEngine, config);
+ SSLParameters params = sslEngine.getSSLParameters();
+ params.setServerNames(Collections.singletonList(new
SNIHostName(host)));
+ sslEngine.setSSLParameters(params);
+ }
+}
