1 (edited by ans 2018-11-30 07:07:39)

Topic: Server SNI wolfSSL_SNI_GetFromBuffer

Hi guys,

thank you for the great work you've done in WolfSSL.

I understand that I can extract the SNI from ClientHello bytes using:

int wolfSSL_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz, byte type, byte* sni, word32* inOutSz);

Ok. But, where can I find the clienHello's bytes?

1) Is there a pointer in some structure?

2) Maybe I need to buffer the raw bytes before starting wolfSSL, call the function to extract the SNI, and than inject the raw buffered bytes to wolfSSL again in some way in order to restart the connection flow?

Thanks!

Share

Re: Server SNI wolfSSL_SNI_GetFromBuffer

Hi @ans,

Thanks for contacting wolfSSL with your questions. Can you tell us what it is you are working on that requires extracting the SNI from the client hello buffer manually? We are curious!

Anyway there is no pointer to a structure or anything like that, you would need to actually modify the IO Recv (EmbedRecv) functionality to store the raw bytes out to some location for later processing or process them in place in the receive callback.

Maybe I need to buffer the raw bytes before starting wolfSSL, call the function to extract the SNI, and than inject the raw buffered bytes to wolfSSL again in some way in order to restart the connection flow?

What's the use case here? Could you explain more exactly what it is you're trying to do?


Warm Regards,

K

Re: Server SNI wolfSSL_SNI_GetFromBuffer

Hi Kaleb,

thank you for your answer.

I'm working on a custom web service and I need to manage multiple virtual host on the same IP. So, when a connection begins I need to get the SNI to set the right certificate in the ctx. Is there a way to achieve this without enter so deeply in the wolfSSL's core? I need the hostname only...

Share

Re: Server SNI wolfSSL_SNI_GetFromBuffer

Hi @ans,

So essentially, and correct me if I'm wrong, you are trying to create your own load balancer? If that is the case this is a very complex problem! Have you considered using an existing solution such as HaProxy (which has support for wolfSSL)?

Warm Regards,

- K

Re: Server SNI wolfSSL_SNI_GetFromBuffer

@ans,

If you do decide to pursue this basically it would all be at your application level to avoid delving into wolfSSL internals. You could just read the raw bytes off the TCP stream as they come in, check to see if it's a TLS packet and if it is then see if the packet type is a client hello. If that check also passes then you send the TCP packet off to wolfSSL_SNI_GetFromBuffer and if it returned an error that would indicate no server name indication extension was present. If it returned a success then you would have the SNI name and based on it's value do what you need to from there.

Warm Regards,

K

6 (edited by ans 2018-12-05 14:50:46)

Re: Server SNI wolfSSL_SNI_GetFromBuffer

Kaleb J. Himes wrote:

Hi @ans,

So essentially, and correct me if I'm wrong, you are trying to create your own load balancer? If that is the case this is a very complex problem! Have you considered using an existing solution such as HaProxy (which has support for wolfSSL)?

Warm Regards,

- K

A simple web server that writes responses and handles requests in plain http. I've my own simple library and to implement the https support I'm looking for a working and stable library like wolfSSL.

While with a plain request I can read the Host header and than redirect the content generation, the https is different because I can't read the request headers before send the certificate, and that is as it should be.

Imagine a server with IP "MyIP" that handles requests from "DomainA" and "DomainB", with "CertA" and "CertB".

Now if a client connects to MyIP which certificate I need to send? CertA or CertB? To resolve this issue the only way is to know the SNI value, compare it to DomainA and DomainB, and send the right certificate. After this, redirecting to the right content generation callback is equal to the insecure requests.

I need the SNI value for this reason.


Resolving the SNI at application level by buffering raw bytes or customizing the wolfSSL IO, doesn't slow down the entire process parsing the packets two times?


Can you modify the library adding a "char *sni" somewhere? tongue

By the way, every suggestions to easily get the SNI value without too many hacks is appreciate.

Share

Re: Server SNI wolfSSL_SNI_GetFromBuffer

@ans,

Resolving the SNI at application level by buffering raw bytes or customizing the wolfSSL IO, doesn't slow down the entire process parsing the packets two times?

Very minimal impact, even in https the client hello message is still going to be plain text (unencrypted) as are the first flights of any TLS handshake while the protocol is being negotiated between the two parties.

You would just store the contents of the incoming TCP data, check the content type of the packet by processing only the first 5 bytes of the TLS part of the packet (You'll have to figure out how to skip the TCP information preceding the TLS part). You can determine if the packet contains a Handshake message by checking if the first byte is integer value 22 or hex value 16 (See attached image from wireshark capture). If it's a handshake message then skip ahead to the 6th byte and check if it is integer value 1 or hex value 0x01. If so then it's a Client Hello message!. If it is a client hello then get the length from bytes 4 and 5 (base_16) and convert to integer value (143 in the screen shot) now copy everything (including the first five bytes) into a buffer. Now you have a buffer containing the Client Hello + TLS record header (the first five bytes) and can pass it to the API wolfSSL_SNI_GetFromBuffer!

This would add very little overhead to your application and isn't a hack at all. This is the same way HA Proxy does it. HA Proxy uses a function to "peek" at the incoming TLS record header to see if it is a client hello or not and ignores it if it isn't. If it is then it grabs the SNI and forwards the traffic to the correct server.

Can you modify the library adding a "char *sni" somewhere?

I can certainly add this as a feature request to our tracker. Feature requests are customizations a customer would like to see added but without funding to back the effort they only are worked on when we have spare time between other paid projects. Feature requests can always be accelerated if a customer has a high need and decides to fund the effort!


Warm Regards,

K

Post's attachments

Screen Shot 2018-12-06 at 2.34.41 PM.png
Screen Shot 2018-12-06 at 2.34.41 PM.png 274.59 kb, 3 downloads since 2018-12-06 

You don't have the permssions to download the attachments of this post.

Re: Server SNI wolfSSL_SNI_GetFromBuffer

Really thank you for your support Kaleb.

I've one only question.

I buffer N bytes, I extract the SNI, and than how I can repass the N buffered bytes to wolfSSL for reparsing?

Share

Re: Server SNI wolfSSL_SNI_GetFromBuffer

@ans,

You don't actually pull the N buffered bytes, remember I noted you "peek" and copy them but you don't take them off the wire. I am not a load balancer expert but based on the HaProxy solution it looks like the flow would be:

Bytes arrive
Peek at TCP bytes while blocking
determine SNI
unblock and forward to destination server based on SNI

- K

10

Re: Server SNI wolfSSL_SNI_GetFromBuffer

Thank you Kaleb for your time and for your support. I'll work on it soon!

Best regards

Share