Re: [PR] feat: add support for wildcard on SNIs for SSL [apisix]

[via GitHub]

Revolyssup commented on code in PR #12668:
URL: https://github.com/apache/apisix/pull/12668#discussion_r2428104868


##########
apisix/ssl/router/radixtree_sni.lua:
##########
@@ -55,24 +55,30 @@ local function create_router(ssl_items)
             if type(ssl.value.snis) == "table" and #ssl.value.snis > 0 then
                 sni = core.table.new(0, #ssl.value.snis)
                 for _, s in ipairs(ssl.value.snis) do
-                    j = j + 1
-                    sni[j] = s:reverse()
+                    if s ~= "*" then
+                        j = j + 1
+                        sni[j] = s:reverse()
+                    end
                 end
             else
-                sni = ssl.value.sni:reverse()
+                if ssl.value.sni ~= "*" then
+                    sni = ssl.value.sni:reverse()
+                end
             end
 
-            idx = idx + 1
-            route_items[idx] = {
-                paths = sni,
-                handler = function (api_ctx)
-                    if not api_ctx then
-                        return
+            if sni and (type(sni) == "table" and #sni > 0 or type(sni) == 
"string") then
+                idx = idx + 1
+                route_items[idx] = {
+                    paths = sni,
+                    handler = function (api_ctx)
+                        if not api_ctx then
+                            return
+                        end
+                        api_ctx.matched_ssl = ssl
+                        api_ctx.matched_sni = sni
                     end
-                    api_ctx.matched_ssl = ssl
-                    api_ctx.matched_sni = sni
-                end
-            }
+                }
+            end

Review Comment:
   
   ## Result with only the regex change
   ```bash
   12:23:55.048914 [0-0] == Info: TLSv1.3 (OUT), TLS handshake, Client hello 
(1):
   12:23:55.048962 [0-0] => Send SSL data, 1556 bytes (0x614)
   0000: ......\F....#.J.-..Y....rW.E........P. [`..+.G.l-A...i.n..NR6...
   0040: 9.)..MX.<.......,.0.........+./...$.(.k.#.'.g.....9.....3.....=.
   0080: <.5./..................www.test.com.............................
   00c0: ......h2.http/1.1.........1.....6.4.............................
   0100: ........................+........-.....3.........G|.lT..M......y
   0140: ..|..3z7.#...:_.h.U..4.........F..fS.7..uZ'1..B...G.8.6.vS^;...1
   0180: p..[.FG.SK....2..'.;...q......ykex.....@c....ho..c..of..k....D..
   01c0: o.*.........wQ.$.dD.....S...,...c...a*z....ps..8.YU.9...$..uQ.Wv
   0200: i"...*@...3.*I6..qs..'.......mH..X%....P..y'. j.D=F!..5.W.9/.!.`
   0240: ....m.I}Q...%.....&v..gP.......xAm.\...c.h....u9g.w..cS..w/..-..
   0280: ...O.5.FZ.....I."bd.s=....{.".`Z..7D...H..R.....4 ....x*3.....G.
   02c0: . ..=*....1..c......]..5A.....tN.x...>....Y..z..rF.....W..[N@...
   0300: |?...P...c..=.H.:*....?..sCw.U.fX....3..?*0..J.k1:...6....W...T.
   0340: ..P...5(..&.S.5.{.Fa...as*m...Y.......m...."g...{...c.3.....t.*.
   0380: .+..1)".~....E..%.:..<....2...55.F4..W.X..b_:..C..SW\Tq_..]o..g)
   03c0: ........7..7..Z.cb..WS...J.m.`.-....B.S...I..%.r.|.Y.g?.........
   0400: .jB9...k..k%.U........9...Q..8.....7........0.....<,wB..Ivc-..<.
   0440: .l.85...$.`c.;/.5Y..N..H..:..L......\..1.....Ux.DB...e#....c....
   0480: ......lCb......TJ8^.b,l..mq.....w,....z5.........U.e..+v.%Q..[..
   04c0: yBH$..e......p/.....+...t.}8A..k.....VK*;5.2...L..h...Q.S!.!{.S.
   0500: Q$.q.......b3..x~39..Ht..L....z.7x..1L..(&..Q..e.BV......+F_.+..
   0540: .8...@P..|..'...b.p...AJ\..zB.q.d<...?.+... ........q...)U....w<
   0580: ....*.FRl..N..Zzlm3...pc.......,%..D....W.jS!.k.^d....V.....rZdN
   05c0: <..ID.......`.....W0...k.~.....Mj...k.....R[zpP2... ..}8.V.<.{..
   0600: .._3..6j4...{m. b...
   12:23:55.050238 [0-0] == Info: [SSL] ossl_bio_cf_out_write(len=1561) -> 0, 
1561
   12:23:55.050293 [0-0] == Info: [SSL] ossl_bio_cf_in_read(len=5) -> 81, 0
   12:23:55.050336 [0-0] == Info: [SSL] ossl_populate_x509_store, 
path=/etc/ssl/certs/ca-certificates.crt, blob=0
   12:23:55.050409 [0-0] == Info: [SSL] SSL_connect() -> err=-1, detail=2
   12:23:55.050456 [0-0] == Info: [SSL] SSL_connect() -> want recv
   12:23:55.050502 [0-0] == Info: [SSL] cf_connect() -> 0, done=0
   12:23:55.050550 [0-0] == Info: [HTTPS-CONNECT] connect -> 0, done=0
   12:23:55.050599 [0-0] == Info: [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 
0, done=0
   12:23:55.050659 [0-0] == Info: [SSL] adjust_pollset, POLLIN fd=5
   12:23:55.050699 [0-0] == Info: [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
   12:23:55.050752 [0-0] == Info: [SSL] cf_connect()
   12:23:55.050788 [0-0] == Info: [SSL] ossl_connect, step2
   12:23:55.050830 [0-0] == Info: [SSL] ossl_bio_cf_in_read(len=5) -> 0, 5
   12:23:55.050879 [0-0] <= Recv SSL data, 5 bytes (0x5)
   0000: .....
   12:23:55.050931 [0-0] == Info: [SSL] ossl_bio_cf_in_read(len=2) -> 0, 2
   12:23:55.050979 [0-0] == Info: TLSv1.3 (IN), TLS alert, internal error (592):
   12:23:55.051024 [0-0] <= Recv SSL data, 2 bytes (0x2)
   0000: .P
   12:23:55.051074 [0-0] == Info: [SSL] SSL_connect() -> err=-1, detail=1
   12:23:55.051124 [0-0] == Info: TLS connect error: error:0A000438:SSL 
routines::tlsv1 alert internal error
   12:23:55.051207 [0-0] == Info: [SSL] cf_connect() -> 35, done=0
   12:23:55.051251 [0-0] == Info: [HTTPS-CONNECT] connect, all attempts failed
   12:23:55.051302 [0-0] == Info: [HTTPS-CONNECT] connect -> 35, done=0
   12:23:55.051351 [0-0] == Info: [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 
35, done=0
   12:23:55.051420 [0-0] == Info: [HTTPS-CONNECT] Curl_conn_connect(), filter 
returned 35
   12:23:55.051478 [0-0] == Info: [WRITE] [OUT] done
   12:23:55.051513 [0-0] == Info: closing connection #0
   curl: (35) TLS connect error: error:0A000438:SSL routines::tlsv1 alert 
internal error
   ```
   
   ## With the above code change it successfully completed handshake
   ```bash
   0000:
   12:25:28.727163 [0-0] == Info: [WRITE] header_collect pushed(type=1, len=2) 
-> 0
   12:25:28.727218 [0-0] == Info: [WRITE] [OUT] wrote 2 header bytes -> 2
   12:25:28.727262 [0-0] == Info: [WRITE] [PAUSE] writing 2/2 bytes of type 4 
-> 0
   12:25:28.727312 [0-0] == Info: [WRITE] download_write header(type=4, blen=2) 
-> 0
   12:25:28.727367 [0-0] == Info: [WRITE] client_write(type=4, len=2) -> 0
   12:25:28.727419 [0-0] <= Recv data, 309 bytes (0x135)
   0000: {.  "args": {}, .  "headers": {.    "Accept": "*/*", .    "Host"
   0040: : "www.test.com", .    "User-Agent": "curl/8.16.0", .    "X-Amzn
   0080: -Trace-Id": "Root=1-68edf3e0-3e4b97345b596c214d24168a", .    "X-
   00c0: Forwarded-Host": "www.test.com".  }, .  "origin": "127.0.0.1, 12
   0100: 2.177.98.216", .  "url": "http://www.test.com/get".}.
   {
     "args": {},
     "headers": {
       "Accept": "*/*",
       "Host": "www.test.com",
       "User-Agent": "curl/8.16.0",
       "X-Amzn-Trace-Id": "Root=1-68edf3e0-3e4b97345b596c214d24168a",
       "X-Forwarded-Host": "www.test.com"
     },
     "origin": "127.0.0.1, 122.177.98.216",
     "url": "http://www.test.com/get";
   }
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org