Skip to content

THRIFT-6078: Send SNI from Ruby SSL clients#3626

Merged
kpumuk merged 1 commit into
apache:masterfrom
kpumuk:rb-sni
Jul 6, 2026
Merged

THRIFT-6078: Send SNI from Ruby SSL clients#3626
kpumuk merged 1 commit into
apache:masterfrom
kpumuk:rb-sni

Conversation

@kpumuk

@kpumuk kpumuk commented Jul 6, 2026

Copy link
Copy Markdown
Member

Some TLS terminators, proxies, and load balancers require SNI in the ClientHello to route the connection or select the correct certificate. Ruby clients previously performed post-handshake hostname verification, but did not send a server hostname during the handshake.

Ruby Thrift::SSLSocket now sets the OpenSSL server hostname before starting the TLS handshake, allowing clients to send SNI for hostname-based SSL connections.

It also adds an optional server_hostname: override for cases where the client connects to one address but needs to indicate and verify a different DNS name.

  • Did you create an Apache Jira ticket? THRIFT-6078
  • If a ticket exists: Does your pull request title follow the pattern "THRIFT-NNNN: describe my issue"?
  • Did you squash your changes to a single commit? (not required, but preferred)
  • Did you do your best to avoid breaking changes? If one was needed, did you label the Jira ticket with "Breaking-Change"?
  • If your change does not involve any code, include [skip ci] anywhere in the commit message to free up build resources.

Client: rb

Co-Authored-By: OpenAI Codex (GPT-5.4) <codex@openai.com>
Copilot AI review requested due to automatic review settings July 6, 2026 14:20
@mergeable mergeable Bot added the ruby Pull requests that update Ruby code label Jul 6, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the Ruby Thrift::SSLSocket transport to send SNI (Server Name Indication) during the TLS handshake by configuring the OpenSSL socket’s server hostname before connecting, and adds an optional server_hostname: override to support connections where the dialed address and expected DNS name differ.

Changes:

  • Set OpenSSL::SSL::SSLSocket#hostname= (when appropriate) prior to the TLS handshake so Ruby clients emit SNI.
  • Add server_hostname: (defaulting to host) and use it for hostname verification, while avoiding SNI for IP-literal hostnames.
  • Extend Ruby specs to cover SNI behavior, server hostname override, and explicit SNI disablement.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
lib/rb/lib/thrift/transport/ssl_socket.rb Adds server_hostname support and configures SNI/verification behavior for Ruby SSL sockets.
lib/rb/spec/ssl_socket_spec.rb Updates and adds tests validating SNI setting, hostname override behavior, and SNI suppression for IP literals / explicit disablement.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@kpumuk kpumuk merged commit 4bbda18 into apache:master Jul 6, 2026
88 of 89 checks passed
@kpumuk kpumuk deleted the rb-sni branch July 6, 2026 22:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ruby Pull requests that update Ruby code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants