PR to set SNI during boost lib websocket next_layer() SSL handshake process happen during launch of app tunneling. (#142)

jaiswal-sumit · web-flow · commit d3150e0ebc4e · 2023-10-19T15:23:22.000-07:00
* with Private VPN, it is important that SNI are supplied for SSL handshake, hence this change ensure that SNI is set for next_layer() which is client hello call. Test and working fine.

* Add host Param in function discription
diff --git a/src/TcpAdapterProxy.cpp b/src/TcpAdapterProxy.cpp
@@ -885,8 +885,8 @@ namespace aws { namespace iot { namespace securedtunneling {
                 {
                     BOOST_LOG_SEV(log, debug) << "SSL host verification is off";
                 }
-                //next ssl handshake
-                tac.wss->async_ssl_handshake(boost::asio::ssl::stream_base::client, [=, &tac](boost::system::error_code const &ec)
+                //next ssl handshake and providing host string
+                tac.wss->async_ssl_handshake(boost::asio::ssl::stream_base::client, tac.adapter_config.proxy_host.c_str(), [=, &tac](boost::system::error_code const &ec)
                 {
                     if (ec)
                     {
@@ -2266,4 +2266,4 @@ namespace aws { namespace iot { namespace securedtunneling {
             return false;
         }
     }
-}}}
+}}}
diff --git a/src/WebSocketStream.cpp b/src/WebSocketStream.cpp
@@ -173,15 +173,35 @@ namespace aws {
                 }
             }
 
-            void WebSocketStream::async_ssl_handshake(const ssl::stream_base::handshake_type &type,
+            void WebSocketStream::async_ssl_handshake(const ssl::stream_base::handshake_type &type, const std::string &host,
                                                       const BoostCallbackFunc &handler) {
                 if (localproxyConfig.is_web_proxy_using_tls) {
                     BOOST_LOG_SEV(*log, trace) << "Calling next_layer().async_handshake with type: "
                                                << WEB_PROXY_WITH_TLS_TYPE_NAME;
+                    // Set SNI Hostname (many hosts need this to handshake successfully)
+                    if(!SSL_set_tlsext_host_name(boost::get<unique_ptr<WEB_PROXY_WITH_TLS_TYPE>>(wss)->next_layer().native_handle(), host.c_str()))
+                    {
+                         BOOST_LOG_SEV(*log, trace) << "SSL next_layer() failed to set SNI";
+                    }
+                    else
+                    {
+                         BOOST_LOG_SEV(*log, trace) << "SSL next_layer() SNI is set : "
+                                                    << host;
+                    }
                     return boost::get<unique_ptr<WEB_PROXY_WITH_TLS_TYPE>>(wss)->next_layer().async_handshake(type, handler);
                 } else {
                     BOOST_LOG_SEV(*log, trace) << "Calling next_layer().async_handshake with type: "
                                                << WEB_PROXY_NO_TLS_TYPE_NAME;
+                    // Set SNI Hostname (many hosts need this to handshake successfully)
+                    if(!SSL_set_tlsext_host_name(boost::get<unique_ptr<WEB_PROXY_NO_TLS_TYPE>>(wss)->next_layer().native_handle(), host.c_str()))
+                    {
+                        BOOST_LOG_SEV(*log, trace) << "SSL next_layer() failed to set SNI";
+                    }
+                    else
+                    {
+                        BOOST_LOG_SEV(*log, trace) << "SSL next_layer() SNI is set : "
+                                                   << host;
+                    }
                     return boost::get<unique_ptr<WEB_PROXY_NO_TLS_TYPE>>(wss)->next_layer().async_handshake(type, handler);
                 }
             }
diff --git a/src/WebSocketStream.h b/src/WebSocketStream.h
@@ -147,10 +147,11 @@ namespace aws {
                 /**
                  * Performs the SSL handshake between the localproxy and the proxy server asynchronously.
                  * @param type The handshake type
+                 * @param host the host subdoman and domain
                  * @param handler the callback handler when the async operation is complete.
                  */
                 void
-                async_ssl_handshake(const ssl::stream_base::handshake_type &type, const BoostCallbackFunc &handler);
+                async_ssl_handshake(const ssl::stream_base::handshake_type &type, const std::string &host, const BoostCallbackFunc &handler);
 #endif
 
                 /**

Original file line number	Diff line number	Diff line change
`@@ -885,8 +885,8 @@ namespace aws { namespace iot { namespace securedtunneling {`
`885`	`885`	`{`
`886`	`886`	`BOOST_LOG_SEV(log, debug) << "SSL host verification is off";`
`887`	`887`	`}`
`888`		`- //next ssl handshake`
`889`		`- tac.wss->async_ssl_handshake(boost::asio::ssl::stream_base::client, [=, &tac](boost::system::error_code const &ec)`
	`888`	`+ //next ssl handshake and providing host string`
	`889`	`+ tac.wss->async_ssl_handshake(boost::asio::ssl::stream_base::client, tac.adapter_config.proxy_host.c_str(), [=, &tac](boost::system::error_code const &ec)`
`890`	`890`	`{`
`891`	`891`	`if (ec)`
`892`	`892`	`{`
`@@ -2266,4 +2266,4 @@ namespace aws { namespace iot { namespace securedtunneling {`
`2266`	`2266`	`return false;`
`2267`	`2267`	`}`
`2268`	`2268`	`}`
`2269`		`-}}}`
	`2269`	`+}}}`