From 19e5f06dbdf70098184e985bc346969be02fca39 Mon Sep 17 00:00:00 2001
From: PAUL SZABO <paul@tellme.social>
Date: Fri, 21 Mar 2025 08:38:53 -0700
Subject: [PATCH 1/3] Patch to add SNI to BoringSSL per #547

---
 pingora-core/src/protocols/tls/boringssl_openssl/stream.rs | 4 ++++
 pingora-core/src/protocols/tls/digest.rs                   | 3 +++
 2 files changed, 7 insertions(+)

diff --git a/pingora-core/src/protocols/tls/boringssl_openssl/stream.rs b/pingora-core/src/protocols/tls/boringssl_openssl/stream.rs
index 034c57cf..efaa1059 100644
--- a/pingora-core/src/protocols/tls/boringssl_openssl/stream.rs
+++ b/pingora-core/src/protocols/tls/boringssl_openssl/stream.rs
@@ -14,6 +14,7 @@
 
 use crate::protocols::digest::TimingDigest;
 use crate::protocols::tls::{SslDigest, ALPN};
+use crate::protocols::tls::boringssl_openssl::stream::ssl::NameType;
 use crate::protocols::{Peek, Ssl, UniqueID, UniqueIDType};
 use crate::tls::{self, ssl, tokio_ssl::SslStream as InnerSsl};
 use crate::utils::tls::{get_organization, get_serial};
@@ -202,6 +203,8 @@ impl SslDigest {
             }
             None => (Vec::new(), None, None),
         };
+        let sni = ssl.servername(NameType::HOST_NAME);
+        let sni_string: Option<String> = sni.map(ToOwned::to_owned);
 
         SslDigest {
             cipher,
@@ -209,6 +212,7 @@ impl SslDigest {
             organization: org,
             serial_number: sn,
             cert_digest,
+            sni: sni_string,
         }
     }
 }
diff --git a/pingora-core/src/protocols/tls/digest.rs b/pingora-core/src/protocols/tls/digest.rs
index 8cfe49c0..c3b498af 100644
--- a/pingora-core/src/protocols/tls/digest.rs
+++ b/pingora-core/src/protocols/tls/digest.rs
@@ -27,4 +27,7 @@ pub struct SslDigest {
     pub serial_number: Option<String>,
     /// The digest of the peer's certificate
     pub cert_digest: Vec<u8>,
+    /// the SNI used in the negotiation
+    pub sni: Option<String>,
+
 }

From 8ac917593f2f3bd8bc824b563ff45dbaa75fcc63 Mon Sep 17 00:00:00 2001
From: Paul Szabo <paul@umlss.com>
Date: Sat, 22 Mar 2025 00:29:22 -0700
Subject: [PATCH 2/3] SNI stub for rustls and figure out how to compile pingora
 with Docker

---
 Dockerfile                                      | 11 ++++++++++-
 pingora-core/src/protocols/tls/rustls/stream.rs |  3 +++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 0fb9ce90..22a9abb7 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM debian:latest as builder
+FROM debian:latest AS builder
 
 ARG BUILDARCH
 RUN apt-get -qq update \
@@ -6,6 +6,7 @@ RUN apt-get -qq update \
        gcc g++ libfindbin-libs-perl \
        make cmake libclang-dev git \
        wget curl gnupg ca-certificates lsb-release \
+       jq \
     && wget --no-check-certificate -O - https://openresty.org/package/pubkey.gpg | gpg --dearmor -o /usr/share/keyrings/openresty.gpg \
     && if [ "${BUILDARCH}" = "arm64" ]; then URL="http://openresty.org/package/arm64/debian"; else URL="http://openresty.org/package/debian"; fi \
     && echo "deb [arch=$BUILDARCH signed-by=/usr/share/keyrings/openresty.gpg] ${URL} $(lsb_release -sc) openresty" | tee /etc/apt/sources.list.d/openresty.list > /dev/null \
@@ -17,4 +18,12 @@ ENV PATH="/root/.cargo/bin:${PATH}"
 
 WORKDIR /var/opt/pingora
 COPY . .
+
+# build one at a time because of conflicting cfg
 RUN cargo build
+RUN cargo build --features "openssl"
+RUN cargo build --features "boringssl"
+RUN cargo build --features "rustls"
+RUN cargo build --features "lb"
+RUN cargo build --features "proxy "
+RUN cargo build --features "cache"
diff --git a/pingora-core/src/protocols/tls/rustls/stream.rs b/pingora-core/src/protocols/tls/rustls/stream.rs
index 146626bb..ff3e6199 100644
--- a/pingora-core/src/protocols/tls/rustls/stream.rs
+++ b/pingora-core/src/protocols/tls/rustls/stream.rs
@@ -384,12 +384,15 @@ impl SslDigest {
             .map(|(organization, serial)| (organization, Some(serial)))
             .unwrap_or_default();
 
+        let sni = None;
+
         SslDigest {
             cipher,
             version,
             organization,
             serial_number,
             cert_digest,
+            sni,
         }
     }
 }

From f2cc0414256ebec2d01290e650540d9695cd0f64 Mon Sep 17 00:00:00 2001
From: Paul Szabo <paul@umlss.com>
Date: Mon, 24 Mar 2025 11:44:53 -0700
Subject: [PATCH 3/3] issue #547, fix errors only seen in github recipe, revert
 Dockerfile

---
 Dockerfile                                            | 11 +----------
 .../src/protocols/tls/boringssl_openssl/stream.rs     |  2 +-
 pingora-core/src/protocols/tls/digest.rs              |  1 -
 3 files changed, 2 insertions(+), 12 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 22a9abb7..0fb9ce90 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM debian:latest AS builder
+FROM debian:latest as builder
 
 ARG BUILDARCH
 RUN apt-get -qq update \
@@ -6,7 +6,6 @@ RUN apt-get -qq update \
        gcc g++ libfindbin-libs-perl \
        make cmake libclang-dev git \
        wget curl gnupg ca-certificates lsb-release \
-       jq \
     && wget --no-check-certificate -O - https://openresty.org/package/pubkey.gpg | gpg --dearmor -o /usr/share/keyrings/openresty.gpg \
     && if [ "${BUILDARCH}" = "arm64" ]; then URL="http://openresty.org/package/arm64/debian"; else URL="http://openresty.org/package/debian"; fi \
     && echo "deb [arch=$BUILDARCH signed-by=/usr/share/keyrings/openresty.gpg] ${URL} $(lsb_release -sc) openresty" | tee /etc/apt/sources.list.d/openresty.list > /dev/null \
@@ -18,12 +17,4 @@ ENV PATH="/root/.cargo/bin:${PATH}"
 
 WORKDIR /var/opt/pingora
 COPY . .
-
-# build one at a time because of conflicting cfg
 RUN cargo build
-RUN cargo build --features "openssl"
-RUN cargo build --features "boringssl"
-RUN cargo build --features "rustls"
-RUN cargo build --features "lb"
-RUN cargo build --features "proxy "
-RUN cargo build --features "cache"
diff --git a/pingora-core/src/protocols/tls/boringssl_openssl/stream.rs b/pingora-core/src/protocols/tls/boringssl_openssl/stream.rs
index efaa1059..5269b48d 100644
--- a/pingora-core/src/protocols/tls/boringssl_openssl/stream.rs
+++ b/pingora-core/src/protocols/tls/boringssl_openssl/stream.rs
@@ -13,8 +13,8 @@
 // limitations under the License.
 
 use crate::protocols::digest::TimingDigest;
-use crate::protocols::tls::{SslDigest, ALPN};
 use crate::protocols::tls::boringssl_openssl::stream::ssl::NameType;
+use crate::protocols::tls::{SslDigest, ALPN};
 use crate::protocols::{Peek, Ssl, UniqueID, UniqueIDType};
 use crate::tls::{self, ssl, tokio_ssl::SslStream as InnerSsl};
 use crate::utils::tls::{get_organization, get_serial};
diff --git a/pingora-core/src/protocols/tls/digest.rs b/pingora-core/src/protocols/tls/digest.rs
index c3b498af..87519a46 100644
--- a/pingora-core/src/protocols/tls/digest.rs
+++ b/pingora-core/src/protocols/tls/digest.rs
@@ -29,5 +29,4 @@ pub struct SslDigest {
     pub cert_digest: Vec<u8>,
     /// the SNI used in the negotiation
     pub sni: Option<String>,
-
 }