fix: relaxed SNI hostname resolution (#197)

When establishing TLS connections, SNI resolution may fail if the configured altHostname contains `_` or any other characters not allowed by domain name standards (i.e. letters, digits and hyphens). This change introduces a relaxed SNI resolution strategy which ignores the LDH rules completely. Because this change goes hand in hand with auth. via certificates, I was able to reproduce the issue only via UTs. At this point the official Coder releases supports only auth. via API keys.

Author: fioan89

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## Unreleased
 
+### Fixed
+
+- relaxed SNI hostname resolution
+
 ## 0.6.5 - 2025-09-16
 
 ### Fixed

gradle.properties

@@ -1,3 +1,3 @@
-version=0.6.5
+version=0.6.6
 group=com.coder.toolbox
 name=coder-toolbox

src/main/kotlin/com/coder/toolbox/util/TLS.kt

@@ -4,8 +4,10 @@ import com.coder.toolbox.settings.ReadOnlyTLSSettings
 importokhttp3.internal.tls.OkHostnameVerifier
 importjava.io.File
 importjava.io.FileInputStream
+importjava.net.IDN
 importjava.net.InetAddress
 importjava.net.Socket
+importjava.nio.charset.StandardCharsets
 importjava.security.KeyFactory
 importjava.security.KeyStore
 importjava.security.cert.CertificateException
@@ -18,11 +20,12 @@ import java.util.Locale
 importjavax.net.ssl.HostnameVerifier
 importjavax.net.ssl.KeyManager
 importjavax.net.ssl.KeyManagerFactory
-importjavax.net.ssl.SNIHostName
+importjavax.net.ssl.SNIServerName
 importjavax.net.ssl.SSLContext
 importjavax.net.ssl.SSLSession
 importjavax.net.ssl.SSLSocket
 importjavax.net.ssl.SSLSocketFactory
+importjavax.net.ssl.StandardConstants
 importjavax.net.ssl.TrustManager
 importjavax.net.ssl.TrustManagerFactory
 importjavax.net.ssl.X509TrustManager
@@ -83,11 +86,13 @@ fun sslContextFromPEMs(
 
 funcoderSocketFactory(settings:ReadOnlyTLSSettings): SSLSocketFactory{
 val sslContext = sslContextFromPEMs(settings.certPath, settings.keyPath, settings.caPath)
-if (settings.altHostname.isNullOrBlank()){
+
+val altHostname = settings.altHostname
+if (altHostname.isNullOrBlank()){
 return sslContext.socketFactory
  }
 
-returnAlternateNameSSLSocketFactory(sslContext.socketFactory, settings.altHostname)
+returnAlternateNameSSLSocketFactory(sslContext.socketFactory, altHostname)
 }
 
 funcoderTrustManagers(tlsCAPath:String?): Array<TrustManager>{
@@ -111,7 +116,7 @@ fun coderTrustManagers(tlsCAPath: String?): Array<TrustManager>{
 return trustManagerFactory.trustManagers.map{MergedSystemTrustManger(it asX509TrustManager) }.toTypedArray()
 }
 
-classAlternateNameSSLSocketFactory(privatevaldelegate:SSLSocketFactory, private valalternateName:String?) :
+classAlternateNameSSLSocketFactory(privatevaldelegate:SSLSocketFactory, private valalternateName:String) :
 SSLSocketFactory(){
 overridefungetDefaultCipherSuites(): Array<String> = delegate.defaultCipherSuites
 
@@ -176,12 +181,19 @@ class AlternateNameSSLSocketFactory(private val delegate: SSLSocketFactory, priv
 
 privatefuncustomizeSocket(socket:SSLSocket){
 val params = socket.sslParameters
- params.serverNames =listOf(SNIHostName(alternateName))
+
+ params.serverNames =listOf(RelaxedSNIHostname(alternateName))
  socket.sslParameters = params
  }
 }
 
+privateclassRelaxedSNIHostname(hostname:String) : SNIServerName(
+StandardConstants.SNI_HOST_NAME,
+IDN.toASCII(hostname, 0).toByteArray(StandardCharsets.UTF_8)
+)
+
 classCoderHostnameVerifier(privatevalalternateName:String?) : HostnameVerifier{
+
 overridefunverify(
 host:String,
 session:SSLSession,

src/test/kotlin/com/coder/toolbox/util/AlternateNameSSLSocketFactoryTest.kt

@@ -0,0 +1,237 @@
+packagecom.coder.toolbox.util
+
+importio.mockk.Runs
+importio.mockk.every
+importio.mockk.just
+importio.mockk.mockk
+importio.mockk.verify
+importjava.net.InetAddress
+importjava.net.Socket
+importjavax.net.ssl.SSLParameters
+importjavax.net.ssl.SSLSocket
+importjavax.net.ssl.SSLSocketFactory
+importkotlin.test.Test
+importkotlin.test.assertEquals
+importkotlin.test.assertNotNull
+importkotlin.test.assertSame
+
+
+classAlternateNameSSLSocketFactoryTest{
+
+ @Test
+fun`createSocket with no parameters should customize socket with alternate name`(){
+// Given
+val mockFactory = mockk<SSLSocketFactory>()
+val mockSocket = mockk<SSLSocket>(relaxed =true)
+val mockParams = mockk<SSLParameters>(relaxed =true)
+
+ every{mockFactory.createSocket() } returns mockSocket
+ every{mockSocket.sslParameters } returns mockParams
+ every{mockSocket.sslParameters = any() } just Runs
+
+val alternateFactory =AlternateNameSSLSocketFactory(mockFactory, "alternate.example.com")
+
+// When
+val result = alternateFactory.createSocket()
+
+// Then
+ verify{mockSocket.sslParameters = any() }
+ assertSame(mockSocket, result)
+ }
+
+ @Test
+fun`createSocket with host and port should customize socket with alternate name`(){
+// Given
+val mockFactory = mockk<SSLSocketFactory>()
+val mockSocket = mockk<SSLSocket>(relaxed =true)
+val mockParams = mockk<SSLParameters>(relaxed =true)
+
+ every{mockFactory.createSocket("original.com", 443) } returns mockSocket
+ every{mockSocket.sslParameters } returns mockParams
+ every{mockSocket.sslParameters = any() } just Runs
+
+val alternateFactory =AlternateNameSSLSocketFactory(mockFactory, "alternate.example.com")
+
+// When
+val result = alternateFactory.createSocket("original.com", 443)
+
+// Then
+ verify{mockSocket.sslParameters = any() }
+ assertSame(mockSocket, result)
+ }
+
+ @Test
+fun`createSocket with host port and local address should customize socket`(){
+// Given
+val mockFactory = mockk<SSLSocketFactory>()
+val mockSocket = mockk<SSLSocket>(relaxed =true)
+val mockParams = mockk<SSLParameters>(relaxed =true)
+val localHost = mockk<InetAddress>()
+
+ every{mockFactory.createSocket("original.com", 443, localHost, 8080) } returns mockSocket
+ every{mockSocket.sslParameters } returns mockParams
+ every{mockSocket.sslParameters = any() } just Runs
+
+val alternateFactory =AlternateNameSSLSocketFactory(mockFactory, "alternate.example.com")
+
+// When
+val result = alternateFactory.createSocket("original.com", 443, localHost, 8080)
+
+// Then
+ verify{mockSocket.sslParameters = any() }
+ assertSame(mockSocket, result)
+ }
+
+ @Test
+fun`createSocket with InetAddress should customize socket with alternate name`(){
+// Given
+val mockFactory = mockk<SSLSocketFactory>()
+val mockSocket = mockk<SSLSocket>(relaxed =true)
+val mockParams = mockk<SSLParameters>(relaxed =true)
+val address = mockk<InetAddress>()
+
+ every{mockFactory.createSocket(address, 443) } returns mockSocket
+ every{mockSocket.sslParameters } returns mockParams
+ every{mockSocket.sslParameters = any() } just Runs
+
+val alternateFactory =AlternateNameSSLSocketFactory(mockFactory, "alternate.example.com")
+
+// When
+val result = alternateFactory.createSocket(address, 443)
+
+// Then
+ verify{mockSocket.sslParameters = any() }
+ assertSame(mockSocket, result)
+ }
+
+ @Test
+fun`createSocket with InetAddress and local address should customize socket`(){
+// Given
+val mockFactory = mockk<SSLSocketFactory>()
+val mockSocket = mockk<SSLSocket>(relaxed =true)
+val mockParams = mockk<SSLParameters>(relaxed =true)
+val address = mockk<InetAddress>()
+val localAddress = mockk<InetAddress>()
+
+ every{mockFactory.createSocket(address, 443, localAddress, 8080) } returns mockSocket
+ every{mockSocket.sslParameters } returns mockParams
+ every{mockSocket.sslParameters = any() } just Runs
+
+val alternateFactory =AlternateNameSSLSocketFactory(mockFactory, "alternate.example.com")
+
+// When
+val result = alternateFactory.createSocket(address, 443, localAddress, 8080)
+
+// Then
+ verify{mockSocket.sslParameters = any() }
+ assertSame(mockSocket, result)
+ }
+
+ @Test
+fun`createSocket with existing socket should customize socket with alternate name`(){
+// Given
+val mockFactory = mockk<SSLSocketFactory>()
+val mockSSLSocket = mockk<SSLSocket>(relaxed =true)
+val mockParams = mockk<SSLParameters>(relaxed =true)
+val existingSocket = mockk<Socket>()
+
+ every{mockFactory.createSocket(existingSocket, "original.com", 443, true) } returns mockSSLSocket
+ every{mockSSLSocket.sslParameters } returns mockParams
+ every{mockSSLSocket.sslParameters = any() } just Runs
+
+val alternateFactory =AlternateNameSSLSocketFactory(mockFactory, "alternate.example.com")
+
+// When
+val result = alternateFactory.createSocket(existingSocket, "original.com", 443, true)
+
+// Then
+ verify{mockSSLSocket.sslParameters = any() }
+ assertSame(mockSSLSocket, result)
+ }
+
+ @Test
+fun`customizeSocket should set SNI hostname to alternate name for valid hostname`(){
+// Given
+val mockFactory = mockk<SSLSocketFactory>()
+val mockSocket = mockk<SSLSocket>(relaxed =true)
+val mockParams = mockk<SSLParameters>(relaxed =true)
+
+ every{mockFactory.createSocket() } returns mockSocket
+ every{mockSocket.sslParameters } returns mockParams
+ every{mockSocket.sslParameters = any() } just Runs
+
+val alternateFactory =AlternateNameSSLSocketFactory(mockFactory, "valid-hostname.example.com")
+
+// When & Then - This should work without throwing an exception
+ assertNotNull(alternateFactory.createSocket())
+ verify{mockSocket.sslParameters = any() }
+ }
+
+ @Test
+fun`customizeSocket should NOT throw IllegalArgumentException for hostname with underscore`(){
+// Given
+val mockFactory = mockk<SSLSocketFactory>()
+val mockSocket = mockk<SSLSocket>(relaxed =true)
+val mockParams = mockk<SSLParameters>(relaxed =true)
+
+ every{mockFactory.createSocket() } returns mockSocket
+ every{mockSocket.sslParameters } returns mockParams
+ every{mockSocket.sslParameters = any() } just Runs
+
+val alternateFactory =AlternateNameSSLSocketFactory(mockFactory, "non_compliant_hostname.example.com")
+
+// When & Then - This should work without throwing an exception
+ assertNotNull(alternateFactory.createSocket())
+ verify{mockSocket.sslParameters = any() }
+ assertEquals(0, mockSocket.sslParameters.serverNames.size)
+ }
+
+ @Test
+fun`createSocket should work with valid international domain names`(){
+// Given
+val mockFactory = mockk<SSLSocketFactory>()
+val mockSocket = mockk<SSLSocket>(relaxed =true)
+val mockParams = mockk<SSLParameters>(relaxed =true)
+
+ every{mockFactory.createSocket() } returns mockSocket
+ every{mockSocket.sslParameters } returns mockParams
+ every{mockSocket.sslParameters = any() } just Runs
+
+val alternateFactory =AlternateNameSSLSocketFactory(mockFactory, "test-server.example.com")
+
+// When & Then - This should work as hyphens are valid
+ assertNotNull(alternateFactory.createSocket())
+ verify{mockSocket.sslParameters = any() }
+ }
+
+privatefuncreateMockSSLSocketFactory(): SSLSocketFactory{
+val mockFactory = mockk<SSLSocketFactory>()
+val mockSocket = mockk<SSLSocket>(relaxed =true)
+val mockParams = mockk<SSLParameters>(relaxed =true)
+
+// Setup default behavior
+ every{mockFactory.defaultCipherSuites } returns arrayOf("TLS_AES_256_GCM_SHA384")
+ every{mockFactory.supportedCipherSuites } returns arrayOf("TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256")
+
+// Make all createSocket methods return our mock socket
+ every{mockFactory.createSocket() } returns mockSocket
+ every{mockFactory.createSocket(any<String>(), any<Int>()) } returns mockSocket
+ every{mockFactory.createSocket(any<String>(), any<Int>(), any<InetAddress>(), any<Int>()) } returns mockSocket
+ every{mockFactory.createSocket(any<InetAddress>(), any<Int>()) } returns mockSocket
+ every{
+ mockFactory.createSocket(
+ any<InetAddress>(),
+ any<Int>(),
+ any<InetAddress>(),
+ any<Int>()
+ )
+ } returns mockSocket
+ every{mockFactory.createSocket(any<Socket>(), any<String>(), any<Int>(), any<Boolean>()) } returns mockSocket
+
+// Setup SSL parameters
+ every{mockSocket.sslParameters } returns mockParams
+ every{mockSocket.sslParameters = any() } just Runs
+
+return mockFactory
+ }
+}