akka-http - Setting TLS Server Name Indicator (SNI) explicitly for Client-Side HTTPS
165 views
Skip to first unread message
sha...@leaprail.com
Jun 19, 2017, 12:33:07 AM6/19/17
to Akka User List
I am trying to connect to internal microservices using the akka-http client-side HTTPS support.
When we try to attain the same outcome using akka-http, we are not able to alter the SNI in the TLS ClientHello trying something like this:
the client still uses the value in host (foo.com) for SNI and fails to get routed to the correct service.
These secure microservices are hosted behind a proxy (HAProxy in tcp mode passing TLS traffic through) with traffic routed to the appropriate service through TLS SNI.
In order to have akka-http properly connect to the services, we need to be able to set the TLS extension servername in ClientHello (SNI) to be different from the host in the URL it is connecting to.
Let's say the microservice has a certificate for "bar.com" and the proxy is listening on "foo.com". We have setup proxy such that if the SNI in TLS handshake is set to "bar.com" when connecting to "foo.com", it properly routes traffic to the right place. We can verify this easily using openssl with -servername argument:
openssl s_client -showcerts -servername bar.com -connect foo.com:443
When we try to attain the same outcome using akka-http, we are not able to alter the SNI in the TLS ClientHello trying something like this:
// sslContext created with internal CA Root loaded into the trust storeval params = sslContext.getDefaultSSLParametersval serverName: SNIHostName = new SNIHostName("bar.com")val serverNames = new java.util.ArrayList[SNIServerName](1)serverNames.add(serverName)params.setServerNames(serverNames)val ctx = ConnectionContext.https(sslContext, sslParameters = Some(params))Http(system).cachedHostConnectionPoolHttps[ActorRef](host = "foo.com", port = 443, connectionContext = ctx)the client still uses the value in host (foo.com) for SNI and fails to get routed to the correct service.
Any idea how this can be accomplished?
Many thanks in advance,
Shayan
johannes...@lightbend.com
Jul 13, 2017, 10:29:42 AM7/13/17
to Akka User List
Hi Shayan,
this seems like an uncommon usage for an HTTP client. Basically you want to connect to a server that presents a certificate for the wrong host name. This is unsupported out of the box because it would be an unsafe thing to do in general.
The way you tried it does not work because the server name is later overwritten by the actual host name. It might work if you turn off akka-http's own SNI support by setting `ssl-config.loose.disableSNI = true`.
Johannes
Reply all
Reply to author
Forward
0 new messages