You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by "Ferenc Gerlits (Jira)" <ji...@apache.org> on 2020/09/01 08:39:00 UTC

[jira] [Created] (MINIFI-539) Add SNI info to raw TCP TLS/SSL handshake

Ferenc Gerlits created MINIFI-539:
-------------------------------------

             Summary: Add SNI info to raw TCP TLS/SSL handshake
                 Key: MINIFI-539
                 URL: https://issues.apache.org/jira/browse/MINIFI-539
             Project: Apache NiFi MiNiFi
          Issue Type: Improvement
            Reporter: Ferenc Gerlits
            Assignee: Ferenc Gerlits


From Daniel Schoberle:

It seems that when TLS/SSL is used, the TLS handshake is not using the SNI extension. So the reverse proxy load balancing can't work as described for NiFi.I've tcpdumped the handshake, the target hostname is not filled in the TLS ClientHello package:
 (9091 - HTTPS port, 9099 - raw TCP port)
{noformat}
[root@locallb02 nginx]# tcpdump -i any -s 1500 '(tcp[((tcp[12:1] & 0xf0) >> 2)+5:1] = 0x01) and (tcp[((tcp[12:1] & 0xf0) >> 2):1] = 0x16) and host 10.6.0.13' -nnXSs0 -ttt
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
 00:00:00.000000 IP 10.6.0.13.39888 > 10.6.0.11.9091: Flags [P.], seq 1025627430:1025627677, ack 3555885837, win 229, options [nop,nop,TS val 415548221 ecr 415534473], length 247
        0x0000:  4500 012b 1610 4000 4006 0f9a 0a06 000d  E..+..@.@.......
        0x0010:  0a06 000b 9bd0 2383 3d21 d526 d3f2 830d  ......#.=!.&....
        0x0020:  8018 00e5 f4f7 0000 0101 080a 18c4 c33d  ...............=
        0x0030:  18c4 8d89 1603 0100 f201 0000 ee03 03a3  ................
        0x0040:  7860 ae11 61e3 1c75 937e 7378 d305 ae5c  x`..a..u.~sx...\
        0x0050:  50f9 0890 22ac a097 934a 2a27 d7cc fc00  P..."....J*'....
        0x0060:  005c c030 c02c c028 c024 c014 c00a 009f  .\.0.,.(.$......
        0x0070:  006b 0039 cca9 cca8 ccaa ff85 00c4 0088  .k.9............
        0x0080:  0081 009d 003d 0035 00c0 0084 c02f c02b  .....=.5...../.+
        0x0090:  c027 c023 c013 c009 009e 0067 0033 00be  .'.#.......g.3..
        0x00a0:  0045 009c 003c 002f 00ba 0041 c011 c007  .E...<./...A....
        0x00b0:  0005 0004 c012 c008 0016 000a 00ff 0100  ................
        0x00c0:  0069 0000 0024 0022 0000 1f69 6970 6e69  .i...$."...iipni
        0x00d0:  6669 2e63 6369 7363 6c6f 7564 6572 612e  fi.cciscloudera.
        0x00e0:  6e63 732e 636f 6d2e 7367 000b 0002 0100  ncs.com.sg......
        0x00f0:  000a 0008 0006 001d 0017 0018 000d 001c  ................
        0x0100:  001a 0601 0603 efef 0501 0503 0401 0403  ................
        0x0110:  eeee eded 0301 0303 0201 0203 0010 000b  ................
        0x0120:  0009 0868 7474 702f 312e 3100 0000 0000  ...http/1.1.....
        0x0130:  0000 0000 0000 0000 0000 00              ...........
 00:00:00.473570 IP 10.6.0.13.40906 > 10.6.0.11.9099: Flags [P.], seq 3091594577:3091594773, ack 1445468953, win 229, options [nop,nop,TS val 415548695 ecr 415534953], length 196
        0x0000:  4500 00f8 385e 4000 4006 ed7e 0a06 000d  E...8^@.@..~....
        0x0010:  0a06 000b 9fca 238b b845 fd51 5628 1b19  ......#..E.QV(..
        0x0020:  8018 00e5 2e15 0000 0101 080a 18c4 c517  ................
        0x0030:  18c4 8f69 1603 0100 bf01 0000 bb03 0394  ...i............
        0x0040:  3310 069f 2793 142c 8f45 a7e7 51b8 8c00  3...'..,.E..Q...
        0x0050:  ff70 1d58 0bee dd5a 5137 3d17 d9ef cb00  .p.X...ZQ7=.....
        0x0060:  005c c030 c02c c028 c024 c014 c00a 009f  .\.0.,.(.$......
        0x0070:  006b 0039 cca9 cca8 ccaa ff85 00c4 0088  .k.9............
        0x0080:  0081 009d 003d 0035 00c0 0084 c02f c02b  .....=.5...../.+
        0x0090:  c027 c023 c013 c009 009e 0067 0033 00be  .'.#.......g.3..
        0x00a0:  0045 009c 003c 002f 00ba 0041 c011 c007  .E...<./...A....
        0x00b0:  0005 0004 c012 c008 0016 000a 00ff 0100  ................
        0x00c0:  0036 000b 0002 0100 000a 0008 0006 001d  .6..............
        0x00d0:  0017 0018 0023 0000 000d 001c 001a 0601  .....#..........
        0x00e0:  0603 efef 0501 0503 0401 0403 eeee eded  ................
        0x00f0:  0301 0303 0201 0203 0000 0000 0000 0000  ................
        0x0100:  0000 0000 0000 0000                      ........
{noformat}
 

Minifi should add the the target hostname in the SNI section of the ClientHello message when connecting to a server using TLS.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)