One addendum to this proposal: This proposed method of configuring a SNI proxy server requires that the client sends the SNI hostname as part of the TLS handshake. In the previous proposal we suggested it would only be sent if a SNI Proxy is configured. Now we propose that a geode client will *always* send the SNI hostname when it initiates a TLS connection to a locator or server.
This will help us implement the SniSocketFactory. It may also help with other use cases such as presenting different SSL certificates for different hostnames, which is the original reason this SNI hostname is part of TLS. The SSLParameterExtension will still take precedence, so I think this should not break the original use case for SSLParameterExtension [1] -Dan [1] https://lists.apache.org/thread.html/0e08a5d0a480115ace6412e16ad45023adf0c29406ec2095a4d19d30%40%3Cdev.geode.apache.org%3E On Mon, Mar 16, 2020 at 3:33 PM Dan Smith <dsm...@pivotal.io> wrote: > Hi all, > > A new RFC is up for this feature > https://cwiki.apache.org/confluence/display/GEODE/Client+side+configuration+for+a+SNI+proxy. > > > Please review and comment by this Friday, 3/20/2020. > > This hopefully addresses some of the concerns with the previous RFC for > this feature. The new proposal is for a more general SocketFactory property > that users can implement, along the lines of what Jake and Owen suggested. > > -Dan >
