When forwarding TLS connection, we are setting the ServerName/SNI to the target. According to RFC 6066:
"HostName" contains the fully qualified DNS hostname of the server,
as understood by the client. The hostname is represented as a byte
string using ASCII encoding without a trailing dot. This allows the
support of internationalized domain names through the use of A-labels
defined in [RFC5890]. DNS hostnames are case-insensitive. The
algorithm to compare hostnames is described in [RFC5890], Section
2.3.2.4.
However, our target is in the form cluster-service-name:port, which fails validation in some server libraries, as highlighted by https://github.com/libressl/portable/issues/660 . We should instead just set cluster-service-name as an SNI.
How
Remove port portion of the address before setting ServerName in the tunnel.
What
When forwarding TLS connection, we are setting the
ServerName/SNI to the target. According to RFC 6066:However, our target is in the form
cluster-service-name:port, which fails validation in some server libraries, as highlighted by https://github.com/libressl/portable/issues/660 . We should instead just setcluster-service-nameas an SNI.How
Remove port portion of the address before setting
ServerNamein the tunnel.Breaking Changes
None