Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow hostname verification to be set on SSL configuration #7436

Closed
acdemyers opened this issue May 6, 2019 · 4 comments
Closed

Allow hostname verification to be set on SSL configuration #7436

acdemyers opened this issue May 6, 2019 · 4 comments
Labels
design-issue

Comments

@acdemyers
Copy link
Contributor

acdemyers commented May 6, 2019
edited
Loading

Today Liberty has the ability to enable hostname verification on for secure connections using httpsURLConnections. While using httpsURLConnection accounts for a lot of outbound call it does not cover all.

example of current configuration:

      <sslDefault httpHostNameVerification=“true”/>

The proposed change is to make hostname verification configurable at the SSL configuration level. That means hostname verification will be performed for all outbound connection using the specified SSL configuration.

For this to work the transportSecurity-1.0 feature needs to be enabled. The suggested configuration will look something like this:

    <ssl id="DefaultSSLSettings" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore" verifyHostname="true" />
    <keyStore id="defaultKeyStore" location="${server.config.dir}/test.p12" type="PKCS12" password="liberty" />
    <keyStore id="defaultTrustStore" location="${server.config.dir}/testTrust.p12" type="PKCS12" password="liberty" />

Hostname checking will be performed by the JDK by the TrustManagers following the server identity that looks at the server's certificate's SubjectDN or SubjectAltName (SAN) information.

Since the checking can look for SAN information in a certificate I'm also suggesting we add the server hostname to the SubjectAltName extension of the default certificate. The SubjectAltName part of the certificate will contain the server's hostname in the DNSName attribute by default, something like this:

#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: myhost.austin.ibm.com
]
@acdemyers acdemyers assigned acdemyers and unassigned acdemyers May 6, 2019
@acdemyers
Copy link
Contributor Author

Since we are adding information to the default certificate it would probably be a good idea to expose customizing of SubjectAltName information through the securityUtility, createSSLCertificate command.

@acdemyers
Copy link
Contributor Author

In the design meeting issues meeting it was suggested that I change the configuration name from enableHostnameVerification to verifyHostname. The description above has already been updated.

@acdemyers
Copy link
Contributor Author

It was agreed that this feature did not need a WAD. This issue can be closed.

@acdemyers
Copy link
Contributor Author

Closing the design issue. Hostname verification PRs include: #7469, #7564, #7609, #7659

@cbridgha cbridgha moved this to Implemented in Design Issues Aug 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
design-issue
Projects
Design Issues
Status: Implemented
Milestone
No milestone
Development

No branches or pull requests
1 participant
@acdemyers