Add SNI support to TcpClient (#122)

an-tao · web-flow · commit 59f857cd061e · 2021-02-21T13:18:50.000+08:00
diff --git a/trantor/net/TcpClient.cc b/trantor/net/TcpClient.cc
@@ -15,10 +15,13 @@
 #include "Connector.h"
 #include "inner/TcpConnectionImpl.h"
 #include <trantor/net/EventLoop.h>
+
+#include <functional>
+#include <algorithm>
+
 #include "Socket.h"
 
 #include <stdio.h>  // snprintf
-#include <functional>
 
 using namespace trantor;
 using namespace std::placeholders;
@@ -140,8 +143,13 @@ void TcpClient::newConnection(int sockfd)
     if (sslCtxPtr_)
     {
 #ifdef USE_OPENSSL
-        conn = std::make_shared<TcpConnectionImpl>(
-            loop_, sockfd, localAddr, peerAddr, sslCtxPtr_, false);
+        conn = std::make_shared<TcpConnectionImpl>(loop_,
+                                                   sockfd,
+                                                   localAddr,
+                                                   peerAddr,
+                                                   sslCtxPtr_,
+                                                   false,
+                                                   SSLHostName_);
 #else
         LOG_FATAL << "OpenSSL is not found in your system!";
         abort();
@@ -187,11 +195,20 @@ void TcpClient::removeConnection(const TcpConnectionPtr &conn)
     }
 }
 
-void TcpClient::enableSSL(bool useOldTLS)
+void TcpClient::enableSSL(bool useOldTLS, std::string hostname)
 {
 #ifdef USE_OPENSSL
     /* Create a new OpenSSL context */
     sslCtxPtr_ = newSSLContext(useOldTLS);
+    if (!hostname.empty())
+    {
+        std::transform(hostname.begin(),
+                       hostname.end(),
+                       hostname.begin(),
+                       tolower);
+        SSLHostName_ = std::move(hostname);
+    }
+
 #else
     LOG_FATAL << "OpenSSL is not found in your system!";
     abort();
diff --git a/trantor/net/TcpClient.h b/trantor/net/TcpClient.h
@@ -179,10 +179,12 @@ class TcpClient : NonCopyable
      * @brief Enable SSL encryption.
      * @param useOldTLS If true, the TLS 1.0 and 1.1 are supported by the
      * client.
+     * @param hostname The server hostname for SNI. If it is empty, the SNI is
+     * not used.
      * @note It's well known that TLS 1.0 and 1.1 are not considered secure in
      * 2020. And it's a good practice to only use TLS 1.2 and above.
      */
-    void enableSSL(bool useOldTLS = false);
+    void enableSSL(bool useOldTLS = false, std::string hostname = "");
 
   private:
     /// Not thread safe, but in loop
@@ -203,6 +205,7 @@ class TcpClient : NonCopyable
     mutable std::mutex mutex_;
     TcpConnectionPtr connection_;  // @GuardedBy mutex_
     std::shared_ptr<SSLContext> sslCtxPtr_;
+    std::string SSLHostName_;
 #ifndef _WIN32
     class IgnoreSigPipe
     {
diff --git a/trantor/net/TcpConnection.h b/trantor/net/TcpConnection.h
@@ -225,9 +225,12 @@ class TcpConnection
      *
      * @param callback The callback is called when the SSL connection is
      * established.
+     * @param hostname The server hostname for SNI. If it is empty, the SNI is
+     * not used.
      */
     virtual void startClientEncryption(std::function<void()> callback,
-                                       bool useOldTLS = false) = 0;
+                                       bool useOldTLS = false,
+                                       std::string hostname = "") = 0;
 
     /**
      * @brief Start the SSL encryption on the connection (as a server).
diff --git a/trantor/net/inner/TcpConnectionImpl.cc b/trantor/net/inner/TcpConnectionImpl.cc
@@ -54,6 +54,7 @@ void initOpenSSL()
     });
 #endif
 }
+
 class SSLContext
 {
   public:
@@ -62,7 +63,9 @@ class SSLContext
 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
         ctxPtr_ = SSL_CTX_new(TLS_method());
         if (!useOldTLS)
+        {
             SSL_CTX_set_min_proto_version(ctxPtr_, TLS1_2_VERSION);
+        }
         else
         {
             LOG_WARN << "TLS 1.0/1.1 are enabled. They are considered "
@@ -73,8 +76,7 @@ class SSLContext
         ctxPtr_ = SSL_CTX_new(SSLv23_method());
         if (!useOldTLS)
         {
-            SSL_CTX_set_options(ctxPtr_, SSL_OP_NO_TLSv1);
-            SSL_CTX_set_options(ctxPtr_, SSL_OP_NO_TLSv1_1);
+            SSL_CTX_set_options(ctxPtr_, SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
         }
         else
         {
@@ -210,7 +212,8 @@ TcpConnectionImpl::~TcpConnectionImpl()
 #ifdef USE_OPENSSL
 void TcpConnectionImpl::startClientEncryptionInLoop(
     std::function<void()> &&callback,
-    bool useOldTLS)
+    bool useOldTLS,
+    const std::string &hostname)
 {
     loop_->assertInLoopThread();
     if (isEncrypted_)
@@ -223,6 +226,11 @@ void TcpConnectionImpl::startClientEncryptionInLoop(
     sslEncryptionPtr_->sslCtxPtr_ = newSSLContext(useOldTLS);
     sslEncryptionPtr_->sslPtr_ =
         std::make_unique<SSLConn>(sslEncryptionPtr_->sslCtxPtr_->get());
+    if (!hostname.empty())
+    {
+        SSL_set_tlsext_host_name(sslEncryptionPtr_->sslPtr_->get(),
+                                 hostname.data());
+    }
     isEncrypted_ = true;
     sslEncryptionPtr_->isUpgrade_ = true;
     auto r = SSL_set_fd(sslEncryptionPtr_->sslPtr_->get(), socketPtr_->fd());
@@ -285,23 +293,33 @@ void TcpConnectionImpl::startServerEncryption(
 #endif
 }
 void TcpConnectionImpl::startClientEncryption(std::function<void()> callback,
-                                              bool useOldTLS)
+                                              bool useOldTLS,
+                                              std::string hostname)
 {
 #ifndef USE_OPENSSL
     LOG_FATAL << "OpenSSL is not found in your system!";
     abort();
 #else
+    if (!hostname.empty())
+    {
+        std::transform(hostname.begin(),
+                       hostname.end(),
+                       hostname.begin(),
+                       tolower);
+    }
     if (loop_->isInLoopThread())
     {
-        startClientEncryptionInLoop(std::move(callback), useOldTLS);
+        startClientEncryptionInLoop(std::move(callback), useOldTLS, hostname);
     }
     else
     {
         loop_->queueInLoop([thisPtr = shared_from_this(),
                             callback = std::move(callback),
-                            useOldTLS]() mutable {
+                            useOldTLS,
+                            hostname = std::move(hostname)]() mutable {
             thisPtr->startClientEncryptionInLoop(std::move(callback),
-                                                 useOldTLS);
+                                                 useOldTLS,
+                                                 hostname);
         });
     }
 #endif
@@ -1372,7 +1390,8 @@ TcpConnectionImpl::TcpConnectionImpl(EventLoop *loop,
                                      const InetAddress &localAddr,
                                      const InetAddress &peerAddr,
                                      const std::shared_ptr<SSLContext> &ctxPtr,
-                                     bool isServer)
+                                     bool isServer,
+                                     const std::string &hostname)
     : loop_(loop),
       ioChannelPtr_(new Channel(loop, socketfd)),
       socketPtr_(new Socket(socketfd)),
@@ -1395,6 +1414,11 @@ TcpConnectionImpl::TcpConnectionImpl(EventLoop *loop,
     sslEncryptionPtr_ = std::make_unique<SSLEncryption>();
     sslEncryptionPtr_->sslPtr_ = std::make_unique<SSLConn>(ctxPtr->get());
     sslEncryptionPtr_->isServer_ = isServer;
+    if (!isServer && !hostname.empty())
+    {
+        SSL_set_tlsext_host_name(sslEncryptionPtr_->sslPtr_->get(),
+                                 hostname.data());
+    }
     assert(sslEncryptionPtr_->sslPtr_);
     auto r = SSL_set_fd(sslEncryptionPtr_->sslPtr_->get(), socketfd);
     (void)r;
diff --git a/trantor/net/inner/TcpConnectionImpl.h b/trantor/net/inner/TcpConnectionImpl.h
@@ -93,7 +93,8 @@ class TcpConnectionImpl : public TcpConnection,
                       const InetAddress &localAddr,
                       const InetAddress &peerAddr,
                       const std::shared_ptr<SSLContext> &ctxPtr,
-                      bool isServer = true);
+                      bool isServer = true,
+                      const std::string &hostname = "");
 #endif
     virtual ~TcpConnectionImpl();
     virtual void send(const char *msg, size_t len) override;
@@ -169,7 +170,8 @@ class TcpConnectionImpl : public TcpConnection,
         return bytesReceived_;
     }
     virtual void startClientEncryption(std::function<void()> callback,
-                                       bool useOldTLS = false) override;
+                                       bool useOldTLS = false,
+                                       std::string hostname = "") override;
     virtual void startServerEncryption(const std::shared_ptr<SSLContext> &ctx,
                                        std::function<void()> callback) override;
     virtual bool isSSLConnection() const override
@@ -308,7 +310,8 @@ class TcpConnectionImpl : public TcpConnection,
     };
     std::unique_ptr<SSLEncryption> sslEncryptionPtr_;
     void startClientEncryptionInLoop(std::function<void()> &&callback,
-                                     bool useOldTLS);
+                                     bool useOldTLS,
+                                     const std::string &hostname);
     void startServerEncryptionInLoop(const std::shared_ptr<SSLContext> &ctx,
                                      std::function<void()> &&callback);
 #endif
