如何在 k8s 入口或 OpenShift 路由中使用 SNI 发送请求
How to send a request with SNI in k8s ingress or OpenShift route
在 OpenShift 平台中,我为 https 服务创建了一个路由,如下所示。路由为https直通类型,hostname为“www.https.com”.
oc get route
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
abc-route www.https.com abc-service 8888 passthrough None
我有几个问题,在文档 https://docs.openshift.com/container-platform/3.11/architecture/networking/routes.html 中,它提到路由支持带 SNI 的 https 和带 SNI 的 TLS:
(1) 主机名“www.https.com”是 SNI 吗?
(2)我想知道客户端如何使用 SNI 发送请求?上面说了两种场景:https带SNI和TLS带SNI。
谢谢。
3.1. Server Name Indication
[TLS] does not provide a mechanism for a client to tell a server
the name of the server it is contacting. It may be desirable for
clients to provide this information to facilitate secure
connections to servers that host multiple 'virtual' servers at a
single underlying network address.
In order to provide the server name, clients MAY include an
extension of type "server_name" in the (extended) client hello.
其中 client hello 消息是 TLS hanshake 的一部分。
The 'client hello' message: The client initiates the handshake by sending a "hello" message to the server. The message will include which TLS version the client supports, the cipher suites supported, and a string of random bytes known as the "client random."
- 主机名“www.https.com”是 SNI 吗?
任何 dns 名称都可以是有效的 SNI。来自 RFC:
Currently the only server names supported are DNS hostnames, however
this does not imply any dependency of TLS on DNS, and other name
types may be added in the future (by an RFC that Updates this
document). TLS MAY treat provided server names as opaque data and
pass the names and types to the application
- 我想知道客户端如何使用 SNI 发送请求?上面说了两种场景:https带SNI和TLS带SNI。
来自 RFC:
In order to provide the server name, clients MAY include an
extension of type "server_name" in the (extended) client hello.
The "extension_data" field of this extension SHALL contain
"ServerNameList" where:
<<redacted for readibility>>
带有 SNI 的 HTTPS 和带有 SNI 的 TLS 的不同之处在于 HTTPS 是 L7 而 TSL 是 OSI 模型的 L4。
这意味着 SNI 可用于基于域的路由,不仅适用于 http 流量,也适用于原始 tls 流量。
在 OpenShift 平台中,我为 https 服务创建了一个路由,如下所示。路由为https直通类型,hostname为“www.https.com”.
oc get route
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
abc-route www.https.com abc-service 8888 passthrough None
我有几个问题,在文档 https://docs.openshift.com/container-platform/3.11/architecture/networking/routes.html 中,它提到路由支持带 SNI 的 https 和带 SNI 的 TLS:
(1) 主机名“www.https.com”是 SNI 吗?
(2)我想知道客户端如何使用 SNI 发送请求?上面说了两种场景:https带SNI和TLS带SNI。
谢谢。
3.1. Server Name Indication
[TLS] does not provide a mechanism for a client to tell a server the name of the server it is contacting. It may be desirable for clients to provide this information to facilitate secure connections to servers that host multiple 'virtual' servers at a single underlying network address.
In order to provide the server name, clients MAY include an extension of type "server_name" in the (extended) client hello.
其中 client hello 消息是 TLS hanshake 的一部分。
The 'client hello' message: The client initiates the handshake by sending a "hello" message to the server. The message will include which TLS version the client supports, the cipher suites supported, and a string of random bytes known as the "client random."
- 主机名“www.https.com”是 SNI 吗?
任何 dns 名称都可以是有效的 SNI。来自 RFC:
Currently the only server names supported are DNS hostnames, however this does not imply any dependency of TLS on DNS, and other name types may be added in the future (by an RFC that Updates this document). TLS MAY treat provided server names as opaque data and pass the names and types to the application
- 我想知道客户端如何使用 SNI 发送请求?上面说了两种场景:https带SNI和TLS带SNI。
来自 RFC:
In order to provide the server name, clients MAY include an extension of type "server_name" in the (extended) client hello. The "extension_data" field of this extension SHALL contain
"ServerNameList" where:<<redacted for readibility>>
带有 SNI 的 HTTPS 和带有 SNI 的 TLS 的不同之处在于 HTTPS 是 L7 而 TSL 是 OSI 模型的 L4。
这意味着 SNI 可用于基于域的路由,不仅适用于 http 流量,也适用于原始 tls 流量。