qianye1001 opened a new issue, #10300:
URL: https://github.com/apache/rocketmq/issues/10300

   ## Problem Statement
   
   Currently RocketMQ Proxy supports only a **single certificate** model:
   
   - `ProxyConfig` has only `tlsCertPath` / `tlsKeyPath` for a single cert/key 
pair
   - gRPC and Remoting servers each build a single `SslContext`
   - `TlsCertificateManager` only watches one cert/key pair for hot-reload
   - No SNI (Server Name Indication) support at all
   
   This makes it impossible to serve multiple top-level domains with different 
certificates on the same Proxy port.
   
   ## Proposed Solution
   
   Introduce **SNI (Server Name Indication)** support using Netty's 
`SniHandler`. The Proxy will inspect the TLS ClientHello's SNI hostname and 
dynamically select the corresponding certificate.
   
   ### Key Changes
   
   1. **New `TlsDomainConfig` POJO** — per-domain cert/key path configuration
   2. **Extended `ProxyConfig`** — new `tlsDomainConfigs` map (domain pattern → 
config)
   3. **New `TlsSniManager`** — manages multiple `SslContext` instances with 
wildcard matching
   4. **Extended `TlsCertificateManager`** — watches multiple cert/key pairs 
independently
   5. **gRPC `ProxyAndTlsProtocolNegotiator`** — uses `SniHandler` for 
SNI-aware TLS
   6. **Remoting `NettyRemotingServer`** — `TlsModeHandler` uses `SniHandler` 
via `TlsContextProvider`
   
   ### Configuration Example
   
   ```yaml
   tlsCertPath: /path/to/default.crt
   tlsKeyPath: /path/to/default.key
   tlsDomainConfigs:
     "*.example.com":
       certPath: /path/to/example.crt
       keyPath: /path/to/example.key
     "*.sample.org":
       certPath: /path/to/sample.crt
       keyPath: /path/to/sample.key
   ```
   
   ### Wildcard Matching
   
   - Exact match first
   - Wildcard: `foo.example.com` matches `*.example.com`
   - Bare domain: `example.com` matches `*.example.com`
   - Multi-level (`a.b.example.com`) does NOT match `*.example.com`
   - No match → fallback to default certificate
   
   ## Verification
   
   ### Manual verification with `openssl s_client`:
   
   ```bash
   # First domain
   openssl s_client -connect 127.0.0.1:<proxyPort> -servername test.example.com 
</dev/null 2>/dev/null | openssl x509 -noout -subject
   
   # Second domain
   openssl s_client -connect 127.0.0.1:<proxyPort> -servername test.sample.org 
</dev/null 2>/dev/null | openssl x509 -noout -subject
   
   # No SNI → should return default cert
   openssl s_client -connect 127.0.0.1:<proxyPort> </dev/null 2>/dev/null | 
openssl x509 -noout -subject
   ```
   
   ### Backward Compatibility
   
   When `tlsDomainConfigs` is not configured, the behavior is **identical** to 
the current single-certificate model.
   
   ## Related PR
   
   https://github.com/apache/rocketmq/pull/10299


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to