From 60c5c0bbcd7aada7b0368ff01fd24af838ebbf87 Mon Sep 17 00:00:00 2001
From: Yang Yang <yyang@streamnative.io>
Date: Thu, 8 Sep 2022 17:00:03 +0800
Subject: [PATCH 1/2] Add SNI header when tlsHostnameVerification is not
 enabled

---
 .../internal/http/AsyncHttpConnector.java     |  5 +++
 .../apache/pulsar/client/impl/HttpClient.java |  5 +++
 .../client/util/WithSNISslEngineFactory.java  | 42 +++++++++++++++++++
 3 files changed, 52 insertions(+)
 create mode 100644 pulsar-client/src/main/java/org/apache/pulsar/client/util/WithSNISslEngineFactory.java

diff --git a/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/http/AsyncHttpConnector.java b/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/http/AsyncHttpConnector.java
index 4595d6fd54d2e..ea00930e54650 100644
--- a/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/http/AsyncHttpConnector.java
+++ b/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/http/AsyncHttpConnector.java
@@ -51,6 +51,7 @@
 import org.apache.pulsar.client.api.KeyStoreParams;
 import org.apache.pulsar.client.impl.PulsarServiceNameResolver;
 import org.apache.pulsar.client.impl.conf.ClientConfigurationData;
+import org.apache.pulsar.client.util.WithSNISslEngineFactory;
 import org.apache.pulsar.common.util.FutureUtil;
 import org.apache.pulsar.common.util.SecurityUtility;
 import org.apache.pulsar.common.util.keystoretls.KeyStoreSSLContext;
@@ -171,6 +172,10 @@ public boolean keepAlive(InetSocketAddress remoteAddress, Request ahcRequest,
                                 conf.getTlsProtocols());
                     }
                     confBuilder.setSslContext(sslCtx);
+                    if (!conf.isTlsHostnameVerificationEnable()) {
+                        confBuilder.setSslEngineFactory(new WithSNISslEngineFactory(serviceNameResolver
+                                .resolveHostUri().getHost()));
+                    }
                 }
             }
             confBuilder.setDisableHttpsEndpointIdentificationAlgorithm(!conf.isTlsHostnameVerificationEnable());
diff --git a/pulsar-client/src/main/java/org/apache/pulsar/client/impl/HttpClient.java b/pulsar-client/src/main/java/org/apache/pulsar/client/impl/HttpClient.java
index 5d22a9bef1ff9..6c4f069ae12cc 100644
--- a/pulsar-client/src/main/java/org/apache/pulsar/client/impl/HttpClient.java
+++ b/pulsar-client/src/main/java/org/apache/pulsar/client/impl/HttpClient.java
@@ -43,6 +43,7 @@
 import org.apache.pulsar.client.api.PulsarClientException;
 import org.apache.pulsar.client.api.PulsarClientException.NotFoundException;
 import org.apache.pulsar.client.impl.conf.ClientConfigurationData;
+import org.apache.pulsar.client.util.WithSNISslEngineFactory;
 import org.apache.pulsar.common.util.ObjectMapperFactory;
 import org.apache.pulsar.common.util.SecurityUtility;
 import org.apache.pulsar.common.util.keystoretls.KeyStoreSSLContext;
@@ -144,6 +145,10 @@ public boolean keepAlive(InetSocketAddress remoteAddress, Request ahcRequest,
 
                 confBuilder.setUseInsecureTrustManager(conf.isTlsAllowInsecureConnection());
                 confBuilder.setDisableHttpsEndpointIdentificationAlgorithm(!conf.isTlsHostnameVerificationEnable());
+                if (!conf.isTlsHostnameVerificationEnable()) {
+                    confBuilder.setSslEngineFactory(new WithSNISslEngineFactory(serviceNameResolver
+                            .resolveHostUri().getHost()));
+                }
             } catch (GeneralSecurityException e) {
                 throw new PulsarClientException.InvalidConfigurationException(e);
             } catch (Exception e) {
diff --git a/pulsar-client/src/main/java/org/apache/pulsar/client/util/WithSNISslEngineFactory.java b/pulsar-client/src/main/java/org/apache/pulsar/client/util/WithSNISslEngineFactory.java
new file mode 100644
index 0000000000000..965a7f2aec328
--- /dev/null
+++ b/pulsar-client/src/main/java/org/apache/pulsar/client/util/WithSNISslEngineFactory.java
@@ -0,0 +1,42 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.pulsar.client.util;
+
+import java.util.Collections;
+import javax.net.ssl.SNIHostName;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLParameters;
+import org.asynchttpclient.AsyncHttpClientConfig;
+import org.asynchttpclient.netty.ssl.DefaultSslEngineFactory;
+
+public class WithSNISslEngineFactory extends DefaultSslEngineFactory {
+    private final String host;
+
+    public WithSNISslEngineFactory(String host) {
+        this.host = host;
+    }
+
+    @Override
+    protected void configureSslEngine(SSLEngine sslEngine, AsyncHttpClientConfig config) {
+        super.configureSslEngine(sslEngine, config);
+        SSLParameters params = sslEngine.getSSLParameters();
+        params.setServerNames(Collections.singletonList(new SNIHostName(host)));
+        sslEngine.setSSLParameters(params);
+    }
+}

From a84e913a9799768841996cc350ea69502628f4a2 Mon Sep 17 00:00:00 2001
From: Yang Yang <yyang@streamnative.io>
Date: Fri, 9 Sep 2022 21:45:47 +0800
Subject: [PATCH 2/2] Minor fixes.

---
 .../java/org/apache/pulsar/client/impl/HttpClient.java    | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/pulsar-client/src/main/java/org/apache/pulsar/client/impl/HttpClient.java b/pulsar-client/src/main/java/org/apache/pulsar/client/impl/HttpClient.java
index 6c4f069ae12cc..68082f65be6d1 100644
--- a/pulsar-client/src/main/java/org/apache/pulsar/client/impl/HttpClient.java
+++ b/pulsar-client/src/main/java/org/apache/pulsar/client/impl/HttpClient.java
@@ -141,14 +141,14 @@ public boolean keepAlive(InetSocketAddress remoteAddress, Request ahcRequest,
                                 conf.getTlsProtocols());
                     }
                     confBuilder.setSslContext(sslCtx);
+                    if (!conf.isTlsHostnameVerificationEnable()) {
+                        confBuilder.setSslEngineFactory(new WithSNISslEngineFactory(serviceNameResolver
+                                .resolveHostUri().getHost()));
+                    }
                 }
 
                 confBuilder.setUseInsecureTrustManager(conf.isTlsAllowInsecureConnection());
                 confBuilder.setDisableHttpsEndpointIdentificationAlgorithm(!conf.isTlsHostnameVerificationEnable());
-                if (!conf.isTlsHostnameVerificationEnable()) {
-                    confBuilder.setSslEngineFactory(new WithSNISslEngineFactory(serviceNameResolver
-                            .resolveHostUri().getHost()));
-                }
             } catch (GeneralSecurityException e) {
                 throw new PulsarClientException.InvalidConfigurationException(e);
             } catch (Exception e) {