Swoole v4.6 版本新特性之 SNI 支持

Introduction to SNI Protocol

Swoole version 4.6.0 introduced support for Server Name Identification (SNI), a TLS networking protocol extension that allows a server to present multiple certificates over the same IP address and TCP port number. This enables hosting multiple secure HTTPS websites or other TLS-based services on the same IP without needing the same certificate for all sites.

Solving Multiple Virtual Hosts Issue

Similar to how HTTP uses the Host header to specify the domain name, TLS adds the Host during the Client Hello phase of the SSL request. This allows the server to switch to the correct domain and return the corresponding certificate.

Swoole's SNI Support Implementation

An issue was raised on Swoole's GitHub requesting the ability to configure SSL information through Hostname. This feature was already added in a previous release but was not yet documented in English.

Setting Up SNI in Swoole

To demonstrate Swoole's SNI setup, a Swoole HTTP Server is created, and the 'ssl_sni_certs' option is used. This option takes a multidimensional array with the Hostname as the key and the certificate configuration as the value.

Example Swoole HTTP Server with SNI

        
use Swoole\Http\Request;
use Swoole\Http\Response;
use Swoole\Http\Server;
define('SSL_FILE_DIR', __DIR__ . '/ssl_certs');
$http = new Server('127.0.0.1', 9501, SWOOLE_BASE, SWOOLE_SOCK_TCP | SWOOLE_SSL);
$http->set([
    'log_file' => '/dev/null',
    'ssl_cert_file' => SSL_FILE_DIR . '/server.crt',
    'ssl_key_file' => SSL_FILE_DIR . '/server.key',
    'ssl_protocols' => SWOOLE_SSL_TLSv1_2 | SWOOLE_SSL_TLSv1_3 | SWOOLE_SSL_TLSv1_1 | SWOOLE_SSL_SSLv2,
    'ssl_sni_certs' => [
        'cs.php.net' => [
            'ssl_cert_file' => SSL_FILE_DIR . '/sni_server_cs_cert.pem',
            'ssl_key_file' => SSL_FILE_DIR . '/sni_server_cs_key.pem'
        ],
        'uk.php.net' => [
            'ssl_cert_file' => SSL_FILE_DIR . '/sni_server_uk_cert.pem',
            'ssl_key_file' => SSL_FILE_DIR . '/sni_server_uk_key.pem'
        ],
        'us.php.net' => [
            'ssl_cert_file' => SSL_FILE_DIR . '/sni_server_us_cert.pem',
            'ssl_key_file' => SSL_FILE_DIR . '/sni_server_us_key.pem',
        ],
    ]
]);
$http->on('request', function (Request $request, Response $response) {
    $response->end('Hello Swoole');
});
$http->start();
        
    

Client Testing and Packet Analysis

A client test script is used to connect to the server and var_dump the Common Names from the certificates. The tcpdump tool is utilized to capture packets which are then analyzed by Wireshark. The analysis confirms that the server_name extension field exists only in the Client Hello process, demonstrating how SNI allows for proper establishment of TLS connections on a server with multiple domain names.