Hi Kaleb,

thank you for your answer.

I'm working on a custom web service and I need to manage multiple virtual host on the same IP. So, when a connection begins I need to get the SNI to set the right certificate in the ctx. Is there a way to achieve this without enter so deeply in the wolfSSL's core? I need the hostname only...

@ans,

If you do decide to pursue this basically it would all be at your application level to avoid delving into wolfSSL internals. You could just read the raw bytes off the TCP stream as they come in, check to see if it's a TLS packet and if it is then see if the packet type is a client hello. If that check also passes then you send the TCP packet off to wolfSSL_SNI_GetFromBuffer and if it returned an error that would indicate no server name indication extension was present. If it returned a success then you would have the SNI name and based on it's value do what you need to from there.

Warm Regards,

K

@ans,

Very minimal impact, even in https the client hello message is still going to be plain text (unencrypted) as are the first flights of any TLS handshake while the protocol is being negotiated between the two parties.

You would just store the contents of the incoming TCP data, check the content type of the packet by processing only the first 5 bytes of the TLS part of the packet (You'll have to figure out how to skip the TCP information preceding the TLS part). You can determine if the packet contains a Handshake message by checking if the first byte is integer value 22 or hex value 16 (See attached image from wireshark capture). If it's a handshake message then skip ahead to the 6th byte and check if it is integer value 1 or hex value 0x01. If so then it's a Client Hello message!. If it is a client hello then get the length from bytes 4 and 5 (base_16) and convert to integer value (143 in the screen shot) now copy everything (including the first five bytes) into a buffer. Now you have a buffer containing the Client Hello + TLS record header (the first five bytes) and can pass it to the API wolfSSL_SNI_GetFromBuffer!

This would add very little overhead to your application and isn't a hack at all. This is the same way HA Proxy does it. HA Proxy uses a function to "peek" at the incoming TLS record header to see if it is a client hello or not and ignores it if it isn't. If it is then it grabs the SNI and forwards the traffic to the correct server.

I can certainly add this as a feature request to our tracker. Feature requests are customizations a customer would like to see added but without funding to back the effort they only are worked on when we have spare time between other paid projects. Feature requests can always be accelerated if a customer has a high need and decides to fund the effort!

Warm Regards,

K

@ans,

You don't actually pull the N buffered bytes, remember I noted you "peek" and copy them but you don't take them off the wire. I am not a load balancer expert but based on the HaProxy solution it looks like the flow would be:

Bytes arrive
Peek at TCP bytes while blocking
determine SNI
unblock and forward to destination server based on SNI

- K