qianye1001 opened a new issue, #10296:
URL: https://github.com/apache/rocketmq/issues/10296

   ## Problem Statement
   
   Currently RocketMQ Proxy supports only a **single certificate** model:
   
   - `ProxyConfig` has only `tlsCertPath` / `tlsKeyPath` for a single cert/key 
pair
   - gRPC and Remoting servers each build a single `SslContext`
   - `TlsCertificateManager` only watches one cert/key pair for hot-reload
   - No SNI (Server Name Indication) support at all
   
   This makes it impossible to serve multiple top-level domains (e.g. 
`*.alibaba-inc.com` and `*.rocketmq.com`) with different certificates on the 
same Proxy port.
   
   ## Proposed Solution
   
   Introduce **SNI (Server Name Indication)** support using Netty's 
`SniHandler`. The Proxy will inspect the TLS ClientHello's SNI hostname and 
dynamically select the corresponding certificate.
   
   ### Key Changes
   
   1. **New `TlsDomainConfig` POJO** — per-domain cert/key path configuration
   2. **Extended `ProxyConfig`** — new `tlsDomainConfigs` map (domain pattern → 
config)
   3. **New `TlsSniManager`** — manages multiple `SslContext` instances with 
wildcard matching
   4. **Extended `TlsCertificateManager`** — watches multiple cert/key pairs 
independently
   5. **gRPC `ProxyAndTlsProtocolNegotiator`** — uses `SniHandler` for 
SNI-aware TLS
   6. **Remoting `NettyRemotingServer`** — `TlsModeHandler` uses `SniHandler` 
via `TlsContextProvider`
   
   ### Configuration Example
   
   ```yaml
   tlsCertPath: /path/to/default.crt
   tlsKeyPath: /path/to/default.key
   tlsDomainConfigs:
     "*.alibaba-inc.com":
       certPath: /path/to/alibaba.crt
       keyPath: /path/to/alibaba.key
     "*.rocketmq.com":
       certPath: /path/to/rocketmq.crt
       keyPath: /path/to/rocketmq.key
   ```
   
   ### Wildcard Matching
   
   - Exact match first
   - Wildcard: `foo.rocketmq.com` matches `*.rocketmq.com`
   - Bare domain: `rocketmq.com` matches `*.rocketmq.com`
   - Multi-level (`a.b.rocketmq.com`) does NOT match `*.rocketmq.com`
   - No match → fallback to default certificate
   
   ## Verification
   
   ### Manual verification with `openssl s_client`:
   
   ```bash
   # .com domain → should return *.rocketmq.com cert
   openssl s_client -connect 127.0.0.1:<proxyPort> -servername 
test.rocketmq.com </dev/null 2>/dev/null | openssl x509 -noout -subject
   
   # .alibaba domain → should return *.alibaba-inc.com cert
   openssl s_client -connect 127.0.0.1:<proxyPort> -servername 
test.alibaba-inc.com </dev/null 2>/dev/null | openssl x509 -noout -subject
   
   # No SNI → should return default (localhost) cert
   openssl s_client -connect 127.0.0.1:<proxyPort> </dev/null 2>/dev/null | 
openssl x509 -noout -subject
   ```
   
   ### Backward Compatibility
   
   When `tlsDomainConfigs` is not configured, the behavior is **identical** to 
the current single-certificate model.
   
   ## Risks
   
   1. **Netty SniHandler async nature** — needs verification that gRPC's 
`ProxyAndTlsProtocolNegotiator` pipeline is compatible
   2. **Pipeline order** — `TlsModeHandler` (PERMISSIVE mode detection) must 
run before `SniHandler`
   3. **Old clients without SNI** — will fallback to default certificate
   4. **TlsSystemConfig compatibility** — Remoting's static config system needs 
backward compatibility
   
   ## Related PR
   
   https://github.com/apache/rocketmq/pull/10295


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to