ISSUE-14544: [Java Pulsar Client] Unable to use proxyServiceUrl - SNI routing

[sijie]

Original Issue: apache/pulsar#14544

---

I have a pulsar broker (standalone) with TLS encryption enabled behind an Apache TrafficServer proxy. I followed the docs to setup a java client to subscrible to a topic. However I'm not able to connect to the broker throught the proxy, the error was: 2022-03-03 11:17:25,832 [pulsar-client-io-1-1] WARN org.apache.pulsar.client.impl.ClientCnx - [hdfsslave1.sms.com/172.16.6.190:4443] Got exception io.netty.handler.codec.TooLongFrameException: Adjusted frame length exceeds 5253120: 1213486164 - discarded at io.netty.handler.codec.LengthFieldBasedFrameDecoder.fail(LengthFieldBasedFrameDecoder.java:503) at io.netty.handler.codec.LengthFieldBasedFrameDecoder.failIfNecessary(LengthFieldBasedFrameDecoder.java:489) at io.netty.handler.codec.LengthFieldBasedFrameDecoder.exceededFrameLength(LengthFieldBasedFrameDecoder.java:376) at io.netty.handler.codec.LengthFieldBasedFrameDecoder.decode(LengthFieldBasedFrameDecoder.java:419)

This is my records.config: CONFIG proxy.config.http.server_ports STRING 4443:ssl 4080 CONFIG proxy.config.ssl.server.cert.path STRING /opt/ts/etc/trafficserver/certs/ CONFIG proxy.config.ssl.server.private_key.path STRING /opt/ts/etc/trafficserver/certs/ CONFIG proxy.config.http.connect_ports STRING 4443 6651

ssl_server_name.config: `server_config = { { fqdn = 'pulsar-ssl',

Forward to Pulsar broker which is listening on 6651

 tunnel_route = 'pulsar-ssl:6651'

} } `

ssl_multicert.config: dest_ip=* ssl_cert_name=pulsar.cert.pem ssl_key_name=pulsar.key-pk8.pem

My client code:

public static void main(String[] args) throws PulsarClientException {
        String brokerServiceUrl = "pulsar+ssl://pulsar-ssl:6651/";
            String proxyUrl = "pulsar+ssl://hdfsslave1.sms.com:4443";
            ClientBuilder clientBuilder = PulsarClient.builder()
                    .serviceUrl(brokerServiceUrl)
                    .tlsTrustCertsFilePath("D:\\bitbucket\\pulsar-project\\pulsarlib\\pulsar-core\\src\\test\\resources\\pulsar-CA\\certs\\ca.cert.pem")
                    .enableTls(true)
                    .allowTlsInsecureConnection(true)
                    .proxyServiceUrl(proxyUrl, ProxyProtocol.SNI)
                    .operationTimeout(1000, TimeUnit.MILLISECONDS);

            PulsarClient pulsarClient = clientBuilder.build();
            Consumer consumer = pulsarClient.newConsumer().topic("non-persistent://public/default/test-proxy-topic").subscriptionType(SubscriptionType.Shared).subscriptionName("test1").subscribe();
            consumer.close();
    }

I checked the TLS handshake package and see no SNI extension: As far as I know, there should be a SNI extension with value 'pulsar-ssl' in TLS handshake packet

Pulsar Broker version: 2.9.3 Pulsar Client version: 2.7.0 TrafficServer version: 10.0.0

[luyou86]

is needed to configure client cert and key file?

Map<String, String> authParams = new HashMap<>(); authParams.put("tlsCertFile", TLS_CLIENT_CERT_FILE_PATH); authParams.put("tlsKeyFile", TLS_CLIENT_KEY_FILE_PATH); clientBuilder.authentication(AuthenticationTls.class.getName(), authParams);

ProxyProtocolTest

[bigbang489]

is needed to configure client cert and key file?

Map<String, String> authParams = new HashMap<>(); authParams.put("tlsCertFile", TLS_CLIENT_CERT_FILE_PATH); authParams.put("tlsKeyFile", TLS_CLIENT_KEY_FILE_PATH); clientBuilder.authentication(AuthenticationTls.class.getName(), authParams);

ProxyProtocolTest

In my test scenario, we use tls encryption without client auth

[luyou86]

PulsarChannelInitializer initTls

not sure whether to user SniHandler?