[KNET-21308] Capture SNI via SNIMatcher instead of ExtendedSSLSession#703
Draft
Truc Nguyen (trnguyencflt) wants to merge 2 commits into
Draft
[KNET-21308] Capture SNI via SNIMatcher instead of ExtendedSSLSession#703Truc Nguyen (trnguyencflt) wants to merge 2 commits into
Truc Nguyen (trnguyencflt) wants to merge 2 commits into
Conversation
Install a CapturingSniMatcher per SSLEngine in SslFactory's customize() and read the captured name from SSLParameters.getSNIMatchers() in SniUtils. Replaces the server-side ExtendedSSLSession.getRequestedServerNames() lookup, which is not reliably populated on the server side by all JSSE providers (notably FIPS providers). No behavior change for clients: the matcher always returns true, so policy checks remain in the existing HTTP-level SniHandler / PrefixSniHandler / ExpectedSniHandler.
There was a problem hiding this comment.
Pull request overview
This PR changes how the server extracts the client-provided SNI host name by installing a per-SSLEngine SNIMatcher that captures the SNI during the TLS handshake, instead of relying on ExtendedSSLSession.getRequestedServerNames() (which may be unpopulated in some JSSE/FIPS providers).
Changes:
- Install a per-connection
CapturingSniMatcherviaSslContextFactory.Server.customize(SSLEngine). - Update
SniUtilsto read the captured SNI value from the installed matcher rather thanExtendedSSLSession. - Add
CapturingSniMatcherimplementation to record the SNI host name during handshake.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| core/src/main/java/io/confluent/rest/SslFactory.java | Installs a per-SSLEngine SNI matcher during Jetty SSL engine customization. |
| core/src/main/java/io/confluent/rest/handlers/SniUtils.java | Switches SNI extraction logic to read from the capturing matcher. |
| core/src/main/java/io/confluent/rest/handlers/CapturingSniMatcher.java | New matcher that captures the SNI host name while always allowing the handshake to proceed. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Truc Nguyen (trnguyencflt)
changed the title
Only install CapturingSniMatcher when no SNI_HOST_NAME matcher is already configured by Jetty (it installs AliasSNIMatcher whenever the keystore has hostname-bearing certs, used by SniX509ExtendedKeyManager for cert selection). When Jetty's matcher is present, SniUtils falls back to ExtendedSSLSession.getRequestedServerNames(), which is reliably populated because AliasSNIMatcher ran. Addresses PR #703 review feedback.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
KNET-21308
Summary
SSLEngineCapturingSniMatcherfromSslFactory.customize(), only when noSNI_HOST_NAMEmatcher is already configured (Jetty installs its ownAliasSNIMatcherwhenever the keystore has hostname-bearing certs, used bySniX509ExtendedKeyManagerfor SNI-based cert selection — we coexist with it rather than trample it).SniUtils.getSniServerName()reads fromCapturingSniMatcherwhen present; otherwise falls back toExtendedSSLSession.getRequestedServerNames(), which is reliably populated because Jetty'sAliasSNIMatcherran.getRequestedServerNames()is not populated server-side on some JSSE providers.true, so policy checks remain in the existingSniHandler/PrefixSniHandler/ExpectedSniHandler.Test plan
mvn -pl core compilemvn -pl core failsafe:integration-test -Dit.test='SniHandlerIntegrationTest,PrefixSniHandlerIntegrationTest,ExpectedSniHandlerIntegrationTest'— 52/52 passmvn -pl core test -Dtest=ExpectedSniHandlerTest— 7/7 pass