Support configurable TLS client SNI validation and handle FQDNs with trailing dot (#1383)

Author: jfallows

runtime/binding-tls/src/main/java/io/aklivity/zilla/runtime/binding/tls/internal/TlsConfiguration.java

@@ -28,6 +28,7 @@ public class TlsConfiguration extends Configuration
     public static final LongPropertyDef TLS_AWAIT_SYNC_CLOSE_MILLIS;
     public static final BooleanPropertyDef TLS_PROACTIVE_CLIENT_REPLY_BEGIN;
     public static final BooleanPropertyDef TLS_CLIENT_HTTPS_IDENTIFICATION;
+    public static final BooleanPropertyDef TLS_CLIENT_SERVER_NAME_INDICATION;
     public static final BooleanPropertyDef TLS_VERBOSE;
     public static final BooleanPropertyDef TLS_DEBUG;
 
@@ -42,6 +43,7 @@ public class TlsConfiguration extends Configuration
         TLS_AWAIT_SYNC_CLOSE_MILLIS = config.property("await.sync.close.millis", 3000L);
         TLS_PROACTIVE_CLIENT_REPLY_BEGIN = config.property("proactive.client.reply.begin", false);
         TLS_CLIENT_HTTPS_IDENTIFICATION = config.property("client.https.identification", true);
+        TLS_CLIENT_SERVER_NAME_INDICATION = config.property("client.server.name.indication", true);
         TLS_VERBOSE = config.property("verbose", TlsConfiguration::verboseDefault);
         TLS_DEBUG = config.property("debug", TlsConfiguration::debugDefault);
         TLS_CONFIG = config;
@@ -83,6 +85,11 @@ public boolean clientHttpsIdentification()
         return TLS_CLIENT_HTTPS_IDENTIFICATION.getAsBoolean(this);
     }
 
+    public boolean clientServerNameIndication()
+    {
+        return TLS_CLIENT_SERVER_NAME_INDICATION.getAsBoolean(this);
+    }
+
     public boolean verbose()
     {
         return TLS_VERBOSE.getAsBoolean(this);

runtime/binding-tls/src/main/java/io/aklivity/zilla/runtime/binding/tls/internal/config/TlsBindingConfig.java

@@ -73,6 +73,7 @@ public final class TlsBindingConfig
     private SSLContext context;
 
     private boolean clientHttpsIdentification;
+    private boolean clientServerNameIndication;
 
     public TlsBindingConfig(
         BindingConfig binding)
@@ -126,6 +127,7 @@ public void init(
 
             this.context = context;
             this.clientHttpsIdentification = config.clientHttpsIdentification();
+            this.clientServerNameIndication = config.clientServerNameIndication();
         }
         catch (Exception ex)
         {
@@ -240,9 +242,10 @@ public SSLEngine newClientEngine(
                 parameters.setEndpointIdentificationAlgorithm("HTTPS");
             }
 
-            if (sni != null)
+            if (clientServerNameIndication && sni != null)
             {
                 List<SNIServerName> serverNames = sni.stream()
+                        .map(TlsBindingConfig::trimHostnameTrailingDot)
                         .map(SNIHostName::new)
                         .collect(toList());
                 parameters.setServerNames(serverNames);
@@ -496,4 +499,10 @@ private List<String> ignoreEmptyNames(
 
         return names;
     }
+
+    private static String trimHostnameTrailingDot(
+        String hostname)
+    {
+        return hostname.endsWith(".") ? hostname.substring(0, hostname.length() - 1) : hostname;
+    }
 }