feat(tls): add rejectUnknownSNI support for TLS listeners
Adds RejectUnknownSNI and ServerNames fields to TLSConfig. When enabled, TLS handshakes with missing or non-allowlisted SNI are rejected at the handshake level via GetConfigForClient before any certificate is sent. Works across all TLS-based listener types (tls, mtls, ws, mws, http2, grpc, http3) since they share the same *tls.Config from LoadServerConfig.
This commit is contained in:
@@ -115,6 +115,9 @@ type TLSConfig struct {
|
||||
Validity time.Duration `yaml:",omitempty" json:"validity,omitempty"`
|
||||
CommonName string `yaml:"commonName,omitempty" json:"commonName,omitempty"`
|
||||
Organization string `yaml:",omitempty" json:"organization,omitempty"`
|
||||
|
||||
RejectUnknownSNI bool `yaml:"rejectUnknownSNI,omitempty" json:"rejectUnknownSNI,omitempty"`
|
||||
ServerNames []string `yaml:"serverNames,omitempty" json:"serverNames,omitempty"`
|
||||
}
|
||||
|
||||
type TLSOptions struct {
|
||||
|
||||
@@ -84,6 +84,7 @@ func ParseService(cfg *config.ServiceConfig) (service.Service, error) {
|
||||
if tlsConfig == nil {
|
||||
tlsConfig = parsing.DefaultTLSConfig().Clone()
|
||||
tls_util.SetTLSOptions(tlsConfig, tlsCfg.Options)
|
||||
tls_util.RejectUnknownSNIConfig(tlsConfig, tlsCfg.RejectUnknownSNI, tlsCfg.ServerNames)
|
||||
}
|
||||
|
||||
authers := auth_parser.List(cfg.Listener.Auther, cfg.Listener.Authers...)
|
||||
@@ -252,6 +253,7 @@ func ParseService(cfg *config.ServiceConfig) (service.Service, error) {
|
||||
if tlsConfig == nil {
|
||||
tlsConfig = parsing.DefaultTLSConfig().Clone()
|
||||
tls_util.SetTLSOptions(tlsConfig, tlsCfg.Options)
|
||||
tls_util.RejectUnknownSNIConfig(tlsConfig, tlsCfg.RejectUnknownSNI, tlsCfg.ServerNames)
|
||||
}
|
||||
|
||||
authers = auth_parser.List(cfg.Handler.Auther, cfg.Handler.Authers...)
|
||||
|
||||
Reference in New Issue
Block a user