[jira] [Resolved] (MINIFICPP-1346) Add SNI info to raw TCP TLS/SSL handshake

Mon, 12 Oct 2020 09:50:52 -0700 


     [ 
https://issues.apache.org/jira/browse/MINIFICPP-1346?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ferenc Gerlits resolved MINIFICPP-1346.
---------------------------------------
    Resolution: Fixed

> Add SNI info to raw TCP TLS/SSL handshake
> -----------------------------------------
>
>                 Key: MINIFICPP-1346
>                 URL: https://issues.apache.org/jira/browse/MINIFICPP-1346
>             Project: Apache NiFi MiNiFi C++
>          Issue Type: Improvement
>            Reporter: Ferenc Gerlits
>            Assignee: Ferenc Gerlits
>            Priority: Minor
>         Attachments: ClientHello_api-call_after.png, 
> ClientHello_api-call_before.png, ClientHello_initial_after.png, 
> ClientHello_initial_before.png
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> From Daniel Schoberle:
> It seems that when TLS/SSL is used, the TLS handshake is not using the SNI 
> extension. So the reverse proxy load balancing can't work as described for 
> NiFi.I've tcpdumped the handshake, the target hostname is not filled in the 
> TLS ClientHello package:
>  (9091 - HTTPS port, 9099 - raw TCP port)
> {noformat}
> [root@locallb02 nginx]# tcpdump -i any -s 1500 '(tcp[((tcp[12:1] & 0xf0) >> 
> 2)+5:1] = 0x01) and (tcp[((tcp[12:1] & 0xf0) >> 2):1] = 0x16) and host 
> 10.6.0.13' -nnXSs0 -ttt
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 
> bytes
>  00:00:00.000000 IP 10.6.0.13.39888 > 10.6.0.11.9091: Flags [P.], seq 
> 1025627430:1025627677, ack 3555885837, win 229, options [nop,nop,TS val 
> 415548221 ecr 415534473], length 247
>         0x0000:  4500 012b 1610 4000 4006 0f9a 0a06 000d  E..+..@.@.......
>         0x0010:  0a06 000b 9bd0 2383 3d21 d526 d3f2 830d  ......#.=!.&....
>         0x0020:  8018 00e5 f4f7 0000 0101 080a 18c4 c33d  ...............=
>         0x0030:  18c4 8d89 1603 0100 f201 0000 ee03 03a3  ................
>         0x0040:  7860 ae11 61e3 1c75 937e 7378 d305 ae5c  x`..a..u.~sx...\
>         0x0050:  50f9 0890 22ac a097 934a 2a27 d7cc fc00  P..."....J*'....
>         0x0060:  005c c030 c02c c028 c024 c014 c00a 009f  .\.0.,.(.$......
>         0x0070:  006b 0039 cca9 cca8 ccaa ff85 00c4 0088  .k.9............
>         0x0080:  0081 009d 003d 0035 00c0 0084 c02f c02b  .....=.5...../.+
>         0x0090:  c027 c023 c013 c009 009e 0067 0033 00be  .'.#.......g.3..
>         0x00a0:  0045 009c 003c 002f 00ba 0041 c011 c007  .E...<./...A....
>         0x00b0:  0005 0004 c012 c008 0016 000a 00ff 0100  ................
>         0x00c0:  0069 0000 0024 0022 0000 1f69 6970 6e69  .i...$."...iipni
>         0x00d0:  6669 2e63 6369 7363 6c6f 7564 6572 612e  fi.cciscloudera.
>         0x00e0:  6e63 732e 636f 6d2e 7367 000b 0002 0100  ncs.com.sg......
>         0x00f0:  000a 0008 0006 001d 0017 0018 000d 001c  ................
>         0x0100:  001a 0601 0603 efef 0501 0503 0401 0403  ................
>         0x0110:  eeee eded 0301 0303 0201 0203 0010 000b  ................
>         0x0120:  0009 0868 7474 702f 312e 3100 0000 0000  ...http/1.1.....
>         0x0130:  0000 0000 0000 0000 0000 00              ...........
>  00:00:00.473570 IP 10.6.0.13.40906 > 10.6.0.11.9099: Flags [P.], seq 
> 3091594577:3091594773, ack 1445468953, win 229, options [nop,nop,TS val 
> 415548695 ecr 415534953], length 196
>         0x0000:  4500 00f8 385e 4000 4006 ed7e 0a06 000d  E...8^@.@..~....
>         0x0010:  0a06 000b 9fca 238b b845 fd51 5628 1b19  ......#..E.QV(..
>         0x0020:  8018 00e5 2e15 0000 0101 080a 18c4 c517  ................
>         0x0030:  18c4 8f69 1603 0100 bf01 0000 bb03 0394  ...i............
>         0x0040:  3310 069f 2793 142c 8f45 a7e7 51b8 8c00  3...'..,.E..Q...
>         0x0050:  ff70 1d58 0bee dd5a 5137 3d17 d9ef cb00  .p.X...ZQ7=.....
>         0x0060:  005c c030 c02c c028 c024 c014 c00a 009f  .\.0.,.(.$......
>         0x0070:  006b 0039 cca9 cca8 ccaa ff85 00c4 0088  .k.9............
>         0x0080:  0081 009d 003d 0035 00c0 0084 c02f c02b  .....=.5...../.+
>         0x0090:  c027 c023 c013 c009 009e 0067 0033 00be  .'.#.......g.3..
>         0x00a0:  0045 009c 003c 002f 00ba 0041 c011 c007  .E...<./...A....
>         0x00b0:  0005 0004 c012 c008 0016 000a 00ff 0100  ................
>         0x00c0:  0036 000b 0002 0100 000a 0008 0006 001d  .6..............
>         0x00d0:  0017 0018 0023 0000 000d 001c 001a 0601  .....#..........
>         0x00e0:  0603 efef 0501 0503 0401 0403 eeee eded  ................
>         0x00f0:  0301 0303 0201 0203 0000 0000 0000 0000  ................
>         0x0100:  0000 0000 0000 0000                      ........
> {noformat}
> Minifi should add the the target hostname in the SNI section of the 
> ClientHello message when connecting to a server using TLS.
> Minifi did add an SNI section to the initial query on port 
> {{nifi.web.https.port}}, see the ClientHello_initial_before.png attachment 
> (port 9443), but I could not find where this happens.  In the follow-up 
> message on port {{nifi.remote.input.socket.port}}, no SNI info was added to 
> the ClientHello message as can be seen above and in the 
> ClientHello_api-call_before.png attachment (port 10443).
> I have added an {{SSL_set_tlsext_host_name()}} call to 
> {{TLSSocket::initialize()}}, and now the SNI info is added to the ClientHello 
> message in both cases, as can be seen in the ClientHello_initial_after.png 
> and ClientHello_api-call_after.png attachments.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to