[ https://issues.apache.org/jira/browse/MINIFICPP-1346?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ferenc Gerlits resolved MINIFICPP-1346. --------------------------------------- Resolution: Fixed > Add SNI info to raw TCP TLS/SSL handshake > ----------------------------------------- > > Key: MINIFICPP-1346 > URL: https://issues.apache.org/jira/browse/MINIFICPP-1346 > Project: Apache NiFi MiNiFi C++ > Issue Type: Improvement > Reporter: Ferenc Gerlits > Assignee: Ferenc Gerlits > Priority: Minor > Attachments: ClientHello_api-call_after.png, > ClientHello_api-call_before.png, ClientHello_initial_after.png, > ClientHello_initial_before.png > > Time Spent: 0.5h > Remaining Estimate: 0h > > From Daniel Schoberle: > It seems that when TLS/SSL is used, the TLS handshake is not using the SNI > extension. So the reverse proxy load balancing can't work as described for > NiFi.I've tcpdumped the handshake, the target hostname is not filled in the > TLS ClientHello package: > (9091 - HTTPS port, 9099 - raw TCP port) > {noformat} > [root@locallb02 nginx]# tcpdump -i any -s 1500 '(tcp[((tcp[12:1] & 0xf0) >> > 2)+5:1] = 0x01) and (tcp[((tcp[12:1] & 0xf0) >> 2):1] = 0x16) and host > 10.6.0.13' -nnXSs0 -ttt > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 > bytes > 00:00:00.000000 IP 10.6.0.13.39888 > 10.6.0.11.9091: Flags [P.], seq > 1025627430:1025627677, ack 3555885837, win 229, options [nop,nop,TS val > 415548221 ecr 415534473], length 247 > 0x0000: 4500 012b 1610 4000 4006 0f9a 0a06 000d E..+..@.@....... > 0x0010: 0a06 000b 9bd0 2383 3d21 d526 d3f2 830d ......#.=!.&.... > 0x0020: 8018 00e5 f4f7 0000 0101 080a 18c4 c33d ...............= > 0x0030: 18c4 8d89 1603 0100 f201 0000 ee03 03a3 ................ > 0x0040: 7860 ae11 61e3 1c75 937e 7378 d305 ae5c x`..a..u.~sx...\ > 0x0050: 50f9 0890 22ac a097 934a 2a27 d7cc fc00 P..."....J*'.... > 0x0060: 005c c030 c02c c028 c024 c014 c00a 009f .\.0.,.(.$...... > 0x0070: 006b 0039 cca9 cca8 ccaa ff85 00c4 0088 .k.9............ > 0x0080: 0081 009d 003d 0035 00c0 0084 c02f c02b .....=.5...../.+ > 0x0090: c027 c023 c013 c009 009e 0067 0033 00be .'.#.......g.3.. > 0x00a0: 0045 009c 003c 002f 00ba 0041 c011 c007 .E...<./...A.... > 0x00b0: 0005 0004 c012 c008 0016 000a 00ff 0100 ................ > 0x00c0: 0069 0000 0024 0022 0000 1f69 6970 6e69 .i...$."...iipni > 0x00d0: 6669 2e63 6369 7363 6c6f 7564 6572 612e fi.cciscloudera. > 0x00e0: 6e63 732e 636f 6d2e 7367 000b 0002 0100 ncs.com.sg...... > 0x00f0: 000a 0008 0006 001d 0017 0018 000d 001c ................ > 0x0100: 001a 0601 0603 efef 0501 0503 0401 0403 ................ > 0x0110: eeee eded 0301 0303 0201 0203 0010 000b ................ > 0x0120: 0009 0868 7474 702f 312e 3100 0000 0000 ...http/1.1..... > 0x0130: 0000 0000 0000 0000 0000 00 ........... > 00:00:00.473570 IP 10.6.0.13.40906 > 10.6.0.11.9099: Flags [P.], seq > 3091594577:3091594773, ack 1445468953, win 229, options [nop,nop,TS val > 415548695 ecr 415534953], length 196 > 0x0000: 4500 00f8 385e 4000 4006 ed7e 0a06 000d E...8^@.@..~.... > 0x0010: 0a06 000b 9fca 238b b845 fd51 5628 1b19 ......#..E.QV(.. > 0x0020: 8018 00e5 2e15 0000 0101 080a 18c4 c517 ................ > 0x0030: 18c4 8f69 1603 0100 bf01 0000 bb03 0394 ...i............ > 0x0040: 3310 069f 2793 142c 8f45 a7e7 51b8 8c00 3...'..,.E..Q... > 0x0050: ff70 1d58 0bee dd5a 5137 3d17 d9ef cb00 .p.X...ZQ7=..... > 0x0060: 005c c030 c02c c028 c024 c014 c00a 009f .\.0.,.(.$...... > 0x0070: 006b 0039 cca9 cca8 ccaa ff85 00c4 0088 .k.9............ > 0x0080: 0081 009d 003d 0035 00c0 0084 c02f c02b .....=.5...../.+ > 0x0090: c027 c023 c013 c009 009e 0067 0033 00be .'.#.......g.3.. > 0x00a0: 0045 009c 003c 002f 00ba 0041 c011 c007 .E...<./...A.... > 0x00b0: 0005 0004 c012 c008 0016 000a 00ff 0100 ................ > 0x00c0: 0036 000b 0002 0100 000a 0008 0006 001d .6.............. > 0x00d0: 0017 0018 0023 0000 000d 001c 001a 0601 .....#.......... > 0x00e0: 0603 efef 0501 0503 0401 0403 eeee eded ................ > 0x00f0: 0301 0303 0201 0203 0000 0000 0000 0000 ................ > 0x0100: 0000 0000 0000 0000 ........ > {noformat} > Minifi should add the the target hostname in the SNI section of the > ClientHello message when connecting to a server using TLS. > Minifi did add an SNI section to the initial query on port > {{nifi.web.https.port}}, see the ClientHello_initial_before.png attachment > (port 9443), but I could not find where this happens. In the follow-up > message on port {{nifi.remote.input.socket.port}}, no SNI info was added to > the ClientHello message as can be seen above and in the > ClientHello_api-call_before.png attachment (port 10443). > I have added an {{SSL_set_tlsext_host_name()}} call to > {{TLSSocket::initialize()}}, and now the SNI info is added to the ClientHello > message in both cases, as can be seen in the ClientHello_initial_after.png > and ClientHello_api-call_after.png attachments. -- This message was sent by Atlassian Jira (v8.3.4#803005)