racorn opened a new pull request #8117: URL: https://github.com/apache/pulsar/pull/8117
### Motivation The Java Pulsar client does not currently set the SNI header when it creates TLS connections using the binary protocol to brokers (except when using proxyUrl with SNI routing). If the client always set the SNI header, it can enable ingress routing using reverse proxies like HAProxy, possibly in combination with external advertised addresses. ### Modifications - `org.apache.pulsar.client.impl.PulsarChannelInitializer` modified to set up the SslHandler after the Netty channel is registered. A new method `CompletableFuture<Channel> initTls(Channel ch, InetSocketAddress sniHost)` was added to explicitly specify the remote peer. - `org.apache.pulsar.client.impl.ConnectionPool` modified to always invoke `PulsarChannelInitializer.initTls` with a peer host if TLS is enabled. - Added method `public SSLEngine createSSLEngine(String peerHost, int peerPort)` to `org.apache.pulsar.common.util.keystoretls.KeyStoreSSLContext` so SNI header is irrespective of using OpenSSL or internal Java TLS. ### Verifying this change - Added `org.apache.pulsar.client.api.TlsSniTest` to verity that using an IP-address in the brokerServiceUrl does not cause problems. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
