Copy SSL options to new sni contexts (#1583)

Apparently with SNI the call to `LibSSL.ssl_set_ssl_ctx()` does not
carry the `verify_mode` from `new_context` to the `ssl` object. This
causes connections with bad client cert always succeed even if mTLS is
configured.

This PR fixes the problem by calling `LibSSL.ssl_set_verify()` on the
SSL connection to set the verify mode after changing the context.

More options are now explicitly copied:

```
// 1. Verify mode and callback (you already know this)
SSL_set_verify

// 2. Verify depth
SSL_set_verify_depth

// 3. Client CA list (for requesting client certificates)
SSL_set_client_CA_list

// 4. Options flags
SSL_clear_options
SSL_set_options
```

---------

Co-authored-by: Carl Hörberg <[email protected]>
Co-authored-by: Claude Opus 4.6 <[email protected]>

Author: 3 people

spec/sni_spec.cr

@@ -1,4 +1,5 @@
 require "./spec_helper"
+require "../src/stdlib/openssl_on_server_name"
 
 describe LavinMQ::SNIHost do
   it "creates TLS contexts with default settings" do
@@ -312,4 +313,111 @@ describe "SNI end-to-end" do
     tcp_server.close
     server_done.receive
   end
+
+  it "rejects connection without client cert when mTLS is enabled via SNI" do
+    sni_manager = LavinMQ::SNIManager.new
+    mtls_host = LavinMQ::SNIHost.new("mtls.localhost")
+    mtls_host.tls_cert = "spec/resources/server_certificate.pem"
+    mtls_host.tls_key = "spec/resources/server_key.pem"
+    mtls_host.tls_verify_peer = true
+    mtls_host.tls_ca_cert = "spec/resources/ca_certificate.pem"
+    sni_manager.add_host(mtls_host)
+
+    mtls_host.amqp_tls_context.verify_mode.should eq(OpenSSL::SSL::VerifyMode::PEER | OpenSSL::SSL::VerifyMode::FAIL_IF_NO_PEER_CERT)
+
+    default_ctx = OpenSSL::SSL::Context::Server.new
+    default_ctx.verify_mode = OpenSSL::SSL::VerifyMode::NONE
+    default_ctx.certificate_chain = "spec/resources/server_certificate.pem"
+    default_ctx.private_key = "spec/resources/server_key.pem"
+
+    default_ctx.on_server_name do |hostname|
+      sni_manager.get_host(hostname).try(&.amqp_tls_context)
+    end
+
+    tcp_server = TCPServer.new("127.0.0.1", 0)
+    port = tcp_server.local_address.port
+
+    server_done = Channel(Nil).new
+
+    spawn do
+      if client = tcp_server.accept?
+        begin
+          ssl_socket = OpenSSL::SSL::Socket::Server.new(client, default_ctx)
+          ssl_socket.close
+        rescue
+        ensure
+          client.close
+        end
+      end
+      server_done.send(nil)
+    end
+
+    tcp_client = TCPSocket.new("127.0.0.1", port)
+    client_ctx = OpenSSL::SSL::Context::Client.new
+    client_ctx.verify_mode = OpenSSL::SSL::VerifyMode::NONE
+    begin
+      expect_raises(Exception) do
+        ssl_client = OpenSSL::SSL::Socket::Client.new(tcp_client, client_ctx, hostname: "mtls.localhost")
+        ssl_client.gets
+      end
+    ensure
+      tcp_client.close
+    end
+
+    tcp_server.close
+    server_done.receive
+  end
+
+  it "accepts connection with valid client cert when mTLS is enabled via SNI" do
+    sni_manager = LavinMQ::SNIManager.new
+    mtls_host = LavinMQ::SNIHost.new("mtls.localhost")
+    mtls_host.tls_cert = "spec/resources/server_certificate.pem"
+    mtls_host.tls_key = "spec/resources/server_key.pem"
+    mtls_host.tls_verify_peer = true
+    mtls_host.tls_ca_cert = "spec/resources/ca_certificate.pem"
+    sni_manager.add_host(mtls_host)
+
+    default_ctx = OpenSSL::SSL::Context::Server.new
+    default_ctx.verify_mode = OpenSSL::SSL::VerifyMode::NONE
+    default_ctx.certificate_chain = "spec/resources/server_certificate.pem"
+    default_ctx.private_key = "spec/resources/server_key.pem"
+
+    default_ctx.on_server_name do |hostname|
+      sni_manager.get_host(hostname).try(&.amqp_tls_context)
+    end
+
+    tcp_server = TCPServer.new("127.0.0.1", 0)
+    port = tcp_server.local_address.port
+
+    server_done = Channel(Nil).new
+
+    spawn do
+      if client = tcp_server.accept?
+        begin
+          ssl_socket = OpenSSL::SSL::Socket::Server.new(client, default_ctx)
+          ssl_socket.close
+        rescue
+        ensure
+          client.close
+        end
+      end
+      server_done.send(nil)
+    end
+
+    tcp_client = TCPSocket.new("127.0.0.1", port)
+    client_ctx = OpenSSL::SSL::Context::Client.new
+    client_ctx.verify_mode = OpenSSL::SSL::VerifyMode::NONE
+    client_ctx.certificate_chain = "spec/resources/client_certificate.pem"
+    client_ctx.private_key = "spec/resources/client_key.pem"
+    begin
+      ssl_client = OpenSSL::SSL::Socket::Client.new(tcp_client, client_ctx, hostname: "mtls.localhost")
+      ssl_client.gets
+      ssl_client.close
+    ensure
+      tcp_client.close
+    end
+
+    tcp_server.close
+    server_done.receive
+  end
 end

src/lavinmq/launcher.cr

@@ -10,6 +10,7 @@ require "./pidfile"
 require "./etcd"
 require "./clustering/controller"
 require "./standalone_runner"
+require "../stdlib/openssl_on_server_name"
 
 module LavinMQ
   class Launcher

src/stdlib/openssl_on_server_name.cr

@@ -0,0 +1,67 @@
+# Monkey-patch OpenSSL::SSL::Context::Server#on_server_name to copy
+# settings that SSL_set_SSL_CTX does not propagate to the SSL connection:
+# verify mode, verify depth, client CA list, and options.
+# Without this, mTLS and per-host TLS settings break when switching
+# contexts via SNI.
+
+require "openssl"
+
+lib LibSSL
+  fun ssl_set_verify = SSL_set_verify(ssl : SSL, mode : LibC::Int, callback : Void*) : Void
+  fun ssl_set_verify_depth = SSL_set_verify_depth(ssl : SSL, depth : LibC::Int) : Void
+  fun ssl_ctx_get_verify_depth = SSL_CTX_get_verify_depth(ctx : SSLContext) : LibC::Int
+  fun ssl_ctx_get_client_ca_list = SSL_CTX_get_client_CA_list(ctx : SSLContext) : Void*
+  fun ssl_dup_ca_list = SSL_dup_CA_list(list : Void*) : Void*
+  fun ssl_set_client_ca_list = SSL_set_client_CA_list(ssl : SSL, list : Void*) : Void
+  fun ssl_get_options = SSL_get_options(ssl : SSL) : ULong
+  fun ssl_set_options = SSL_set_options(ssl : SSL, options : ULong) : ULong
+  fun ssl_clear_options = SSL_clear_options(ssl : SSL, options : ULong) : ULong
+end
+
+class OpenSSL::SSL::Context::Server
+  @[Experimental]
+  def on_server_name(&block : String -> OpenSSL::SSL::Context::Server?)
+    c_callback = Proc(LibSSL::SSL, LibC::Int*, Void*, LibC::Int).new do |ssl, alert_ptr, arg|
+      servername_ptr = LibSSL.ssl_get_servername(ssl, LibSSL::TLSExt::NAMETYPE_host_name)
+      if servername_ptr.null?
+        next LibSSL::SSL_TLSEXT_ERR_OK
+      end
+
+      begin
+        hostname = String.new(servername_ptr)
+
+        callback = Box(typeof(block)).unbox(arg)
+        new_context = callback.call(hostname)
+
+        if new_context
+          new_ctx = new_context.to_unsafe
+          LibSSL.ssl_set_ssl_ctx(ssl, new_ctx)
+
+          # SSL_set_SSL_CTX does not copy these settings:
+          verify_mode = LibSSL.ssl_ctx_get_verify_mode(new_ctx).to_i
+          LibSSL.ssl_set_verify(ssl, verify_mode, nil)
+          LibSSL.ssl_set_verify_depth(ssl, LibSSL.ssl_ctx_get_verify_depth(new_ctx))
+
+          ca_list = LibSSL.ssl_ctx_get_client_ca_list(new_ctx)
+          unless ca_list.null?
+            LibSSL.ssl_set_client_ca_list(ssl, LibSSL.ssl_dup_ca_list(ca_list))
+          end
+
+          LibSSL.ssl_clear_options(ssl, LibSSL.ssl_get_options(ssl))
+          LibSSL.ssl_set_options(ssl, LibSSL.ssl_ctx_get_options(new_ctx))
+        end
+
+        LibSSL::SSL_TLSEXT_ERR_OK
+      rescue
+        alert_ptr.value = LibSSL::SSL_AD_INTERNAL_ERROR
+        LibSSL::SSL_TLSEXT_ERR_ALERT_FATAL
+      end
+    end
+
+    callback_box = Box.box(block)
+    @sni_callback_box = callback_box
+
+    LibSSL.ssl_ctx_callback_ctrl(@handle, LibSSL::SSL_CTRL_SET_TLSEXT_SERVERNAME_CB, c_callback.unsafe_as(Proc(Void)))
+    LibSSL.ssl_ctx_ctrl(@handle, LibSSL::SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG, 0, callback_box)
+  end
+end