qianye1001 opened a new issue, #10300:
URL: https://github.com/apache/rocketmq/issues/10300
## Problem Statement
Currently RocketMQ Proxy supports only a **single certificate** model:
- `ProxyConfig` has only `tlsCertPath` / `tlsKeyPath` for a single cert/key
pair
- gRPC and Remoting servers each build a single `SslContext`
- `TlsCertificateManager` only watches one cert/key pair for hot-reload
- No SNI (Server Name Indication) support at all
This makes it impossible to serve multiple top-level domains with different
certificates on the same Proxy port.
## Proposed Solution
Introduce **SNI (Server Name Indication)** support using Netty's
`SniHandler`. The Proxy will inspect the TLS ClientHello's SNI hostname and
dynamically select the corresponding certificate.
### Key Changes
1. **New `TlsDomainConfig` POJO** — per-domain cert/key path configuration
2. **Extended `ProxyConfig`** — new `tlsDomainConfigs` map (domain pattern →
config)
3. **New `TlsSniManager`** — manages multiple `SslContext` instances with
wildcard matching
4. **Extended `TlsCertificateManager`** — watches multiple cert/key pairs
independently
5. **gRPC `ProxyAndTlsProtocolNegotiator`** — uses `SniHandler` for
SNI-aware TLS
6. **Remoting `NettyRemotingServer`** — `TlsModeHandler` uses `SniHandler`
via `TlsContextProvider`
### Configuration Example
```yaml
tlsCertPath: /path/to/default.crt
tlsKeyPath: /path/to/default.key
tlsDomainConfigs:
"*.example.com":
certPath: /path/to/example.crt
keyPath: /path/to/example.key
"*.sample.org":
certPath: /path/to/sample.crt
keyPath: /path/to/sample.key
```
### Wildcard Matching
- Exact match first
- Wildcard: `foo.example.com` matches `*.example.com`
- Bare domain: `example.com` matches `*.example.com`
- Multi-level (`a.b.example.com`) does NOT match `*.example.com`
- No match → fallback to default certificate
## Verification
### Manual verification with `openssl s_client`:
```bash
# First domain
openssl s_client -connect 127.0.0.1:<proxyPort> -servername test.example.com
</dev/null 2>/dev/null | openssl x509 -noout -subject
# Second domain
openssl s_client -connect 127.0.0.1:<proxyPort> -servername test.sample.org
</dev/null 2>/dev/null | openssl x509 -noout -subject
# No SNI → should return default cert
openssl s_client -connect 127.0.0.1:<proxyPort> </dev/null 2>/dev/null |
openssl x509 -noout -subject
```
### Backward Compatibility
When `tlsDomainConfigs` is not configured, the behavior is **identical** to
the current single-certificate model.
## Related PR
https://github.com/apache/rocketmq/pull/10299
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]