Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SslContextFactory may select a wildcard certificate during SNI selection when a more specific SSL certificate is present #6034

Closed
BruceMacD opened this issue Mar 4, 2021 · 3 comments · Fixed by #6036
Closed

SslContextFactory may select a wildcard certificate during SNI selection when a more specific SSL certificate is present #6034

BruceMacD opened this issue Mar 4, 2021 · 3 comments · Fixed by #6036

Comments

@BruceMacD
Copy link
Contributor

Jetty version
Observed in jetty-9.4.35.v20201120 but the code is the same in the jetty-9.4.x branch and the jetty-10.0.x branch so it should have the same behavior.

Java version
Oracle JDK 8u281.

OS type/version
Mac OS 10.14 (this should be OS agnostic)

Description
Scenario
Hosting an application in Jetty with two certificates:

  • Certificate 1 with alias *.example.com
  • Certificate 2 with alias sub.example.com

Expected behavior
A request to sub.example.com selects certificate 2 (sub.example.com).

Actual behavior
A request to sub.example.com may select certificate 1 (*.example.com).

Details
This happens because SslContextFactory.sniSelect() returns the first certificate that matches the SNI host. If the wildcard cert happens to be stored first in the collection it will be returned with this behavior. I notice that X509.matches() checks wilds as well as hosts for a match, if there was a specific host match check in the SslContext factory before doing the more general match check then this behavior would be fixed.

This may be expected behavior, but it would be pretty simple to correct so I thought it was worth mentioning.
@sbordet
Copy link
Contributor

sbordet commented Mar 4, 2021

@BruceMacD as a workaround, you can always set your own SNISelector on SslContextFactory to implement a more precise logic.

I agree that we should try to match the precise domain first, then wildcard domains.

sbordet added a commit that referenced this issue Mar 4, 2021
@sbordet
Fixes #6034 - SslContextFactory may select a wildcard certificate dur…
7aa69c0 
…ing SNI selection when a more specific SSL certificate is present.

Now matching certificates are sorted, non-wildcard first, so that a more specific alias is returned.

Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
@sbordet
Copy link
Contributor

sbordet commented Mar 4, 2021

@BruceMacD can you try #6036?

@BruceMacD
Copy link
Contributor Author

@sbordet
That change works perfectly in my case. Thanks.

@sbordet sbordet closed this as completed in 8de7b83 Mar 8, 2021
@sbordet sbordet linked a pull request Mar 8, 2021 that will close this issue
Fixes #6034 - SslContextFactory may select a wildcard certificate dur… #6036
Merged
sbordet added a commit that referenced this issue Mar 8, 2021
@sbordet
Fixes #6034 - SslContextFactory may select a wildcard certificate dur…
203fff7 
…ing SNI selection when a more specific SSL certificate is present.

Now matching certificates are sorted, non-wildcard first, so that a more specific alias is returned.

Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
sbordet added a commit that referenced this issue Mar 9, 2021
@sbordet
Fixes #6034 - SslContextFactory may select a wildcard certificate dur…
132f4b9 
…ing SNI selection when a more specific SSL certificate is present.

Now matching certificates are sorted, non-wildcard first, so that a more specific alias is returned.

Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
@rijkr rijkr mentioned this issue Apr 10, 2021
Closed
@mpkusnierz mpkusnierz mentioned this issue Feb 24, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixes #6034 - SslContextFactory may select a wildcard certificate dur… jetty/jetty.project
2 participants
@sbordet @BruceMacD