hyper-tls icon indicating copy to clipboard operation
hyper-tls copied to clipboard

Published 20 hours ago verified publisher icon hyperium

Add possibility to set the SNI host for the connections

Open olksdr opened this issue 4 years ago • 5 comments

Sometimes the URI and the exact host which we want to connect have different domains. And we need to have a way to set the domain for the TLS connection which will be used to verify the TLS cert. The domain from the URI will still be used to create a underlying TCP connection.

For example:

Target host: example.com Target host's TLS: example.net

with setting the SNI host to example.net we can still easily connect to example.com and get the correct resources as for example.net

olksdr avatar Jul 22 '20 14:07 olksdr

I don't think the failing CI job is related to my changes.

olksdr avatar Jul 23 '20 08:07 olksdr

hey @seanmonstar , thanks for the review!

Is it that typical for servers to have certificates with SNI requirements that don't match their DNS values?

Yes, this is very typical for proxies/gateways. For example:

  • we have a host example.com and the TLS termination happens on the rust service (gateway), but we still need to connect to third party over https, e.g. https://203.0.113.5
  • third party web server configured with valid certificate for example.com - but we cannot use this domain for connection since the DNS points to our service with completely different IP
  • in this case we need to connect to https://203.0.113.5 but tell TLS layer to use example.com for connection and certificate verification
  • remote http server will route our connection correctly to the correct virtualhost.

Very good check for this:

openssl s_client -connect <IP_ADDRESS>:443 -servername <HOSTNAME>

So, this PR adds the possibility to configure same behavior as you can see inthe openssl example about. And which this configuration we SSl between gateway and the third party service provider.

This is very important feature which I would like to see supported.

What do you think?

olksdr avatar Jul 24 '20 09:07 olksdr

Hi @seanmonstar, did you have time to consider and think about proposed changes? Maybe you have some idea how to make the handling the described above workflow better?

olksdr avatar Aug 04 '20 15:08 olksdr

This would be useful, as I want to manually resolve a host's IP myself using DNS, then connect to that and set the HOST header.

Absolucy avatar Jan 30 '22 21:01 Absolucy

I agree, this is an important feature for http proxies. And now I guess I'll just have to copy the crate...

@seanmonstar Is this project alive at all? No commits since 2020...

ermakov-oleg avatar Feb 13 '23 13:02 ermakov-oleg