qianye1001 commented on issue #10302:
URL: https://github.com/apache/rocketmq/issues/10302#issuecomment-4542174573
## 🤖 Auto-generated Fix Spec (v1)
A detailed implementation spec has been generated for SNI multi-domain TLS
support.
### Summary
**Root Cause:** `ProxyConfig` and `ProxyAndTlsProtocolNegotiator` only
support a single certificate model with static `SslContext`. No SNI handler
exists in the pipeline.
**Proposed Solution:**
- Introduce `TlsDomainConfig` POJO for per-domain cert/key configuration
- Add `TlsSniManager` to manage multiple `SslContext` instances with
wildcard matching
- Inject Netty `SniHandler` into both gRPC and Remoting pipelines
- Extend `TlsCertificateManager` to watch multiple cert/key pairs
independently
- Fully backward compatible: empty `tlsDomainConfigs` behaves identically to
current single-cert mode
**Architecture:**
```
ProxyConfig.tlsDomainConfigs
"*.example.com" → cert/key
"*.sample.org" → cert/key
default → tlsCertPath/tlsKeyPath
│
▼
TlsSniManager (Map<pattern, SslContext>)
│
┌────┴────┐
▼ ▼
gRPC Remoting
pipeline pipeline
```
**Files to modify:** 16 total
- 4 new files: `TlsDomainConfig`, `TlsSniManager`, `SniHostnameMatcher`,
`TlsContextProvider`
- 8 modified: `ProxyConfig`, `ProxyAndTlsProtocolNegotiator`,
`TlsCertificateManager`, `GrpcServer`, `MultiProtocolTlsHelper`,
`MultiProtocolRemotingServer`, `NettyRemotingServer`, `ProxyStartup`
- 4 test files
**SNI Matching Algorithm:**
1. Exact match (O(1) lookup)
2. Wildcard match: `foo.example.com` → `*.example.com` (with label-count
guard)
3. Fallback to default certificate
**Configuration:**
```json
{
"tlsCertPath": "/etc/rocketmq/tls/default.crt",
"tlsKeyPath": "/etc/rocketmq/tls/default.key",
"tlsDomainConfigs": {
"*.example.com": {
"certPath": "/etc/rocketmq/tls/example.crt",
"keyPath": "/etc/rocketmq/tls/example.key"
}
}
}
```
**Testing Strategy:**
- Unit tests for `SniHostnameMatcher` and `TlsSniManager`
- Netty `EmbeddedChannel` integration tests
- Hot-reload tests
- Manual verification with `openssl s_client`
**Risks & Mitigations:**
- gRPC negotiator interplay → resolve context in `SniHandler.newSslHandler`
- Pipeline ordering → keep PROXY protocol handler before SNI
- Concurrent reload races → use `volatile` references
---
@qianye1001 The above is an auto-generated implementation spec based on your
issue description.
**Next steps:**
- Review the detailed spec (322 lines with code snippets, architecture
diagrams, and test plans)
- Reply with one of the following commands:
```
/approve - Approve the spec, auto-generate a PR
/revise <notes> - Provide feedback for revision (e.g., "/revise simplify
the matching algorithm")
/reject - Decline, close the auto-fix flow
```
> ⏰ This flow will auto-expire in **72 hours** if no response is received.
>
> The full spec is available at:
`/tmp/apache_rocketmq/issue/10302/spec_v1.md`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]