Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes #5379 - Better handling for wrong SNI. #5398

Merged
merged 4 commits into from
Oct 12, 2020
Merged

Fixes #5379 - Better handling for wrong SNI. #5398

merged 4 commits into from
Oct 12, 2020

Conversation

sbordet
Copy link
Contributor

@sbordet sbordet commented Oct 5, 2020

Now returning 400 when SNI does not match any certificate
and SecureRequestCustomizer.sniHostCheck=true.

Signed-off-by: Simone Bordet simone.bordet@gmail.com

@sbordet
Fixes #5379 - Better handling for wrong SNI.
62f550c 
Now returning 400 when SNI does not match any certificate
and SecureRequestCustomizer.sniHostCheck=true.

Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
@sbordet sbordet requested a review from gregw October 5, 2020 17:09
@sbordet sbordet linked an issue Oct 5, 2020 that may be closed by this pull request
Better handling for wrong SNI #5379
Closed
@gregw
Copy link
Contributor

gregw commented Oct 6, 2020

@sbordet lots of CI failures?

@sbordet
Copy link
Contributor Author

sbordet commented Oct 6, 2020
edited
Loading

@gregw yes the problem is when you have a KeyStore that has only 1 certificate.
In this case, we don't wrap the KeyManagers with the SNI enabled ones, so we don't select SNI, but we add the SecureRequestCustomizer, which by default does a SNI host check, which of course fails because SNI was never chosen.

I think we can "force" SNI if there is only one certificate (but we always need to wrap), or we drop this change.
I'm leaning towards dropping it.

@gregw
Copy link
Contributor

gregw commented Oct 7, 2020

So if we drop it, is there a way with a single certificate to force the an SNI check is done on the host header?
I think that is desirable, but happy if t hat requires a manual addition of the SecureRequestCustomizer. Just so long as it can be done.

@sbordet
Fixes #5379 - Better handling for wrong SNI.
e54122b 
Reworked the SNI logic.
Added support for IP addresses in the SAN extension of certificates in the X509 class.
Fixed keystores to have CN=localhost and SAN with ip=127.0.0.1 and ip=[::1].
Fixed tests that were not using the correct Host header.

Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
@sbordet
Copy link
Contributor Author

sbordet commented Oct 9, 2020

@gregw I updated the PR after discussion with @joakime as follows.

jetty.sslContext.sniRequired=true checks the SNI against the certificate at the TLS level. If no match, TLS failure.

jetty.ssl.sniRequired=true checks the SNI against the certificate at the HTTP level. If no match, HTTP 400.

So the 2 properties above are equivalent, the second just allows for a nicer error to users.

jetty.ssl.sniHostCheck=true checks the Host header against the certificate that has been sent to the client. If no match, HTTP 400.

Before the sniHostCheck was skipped most of the times (e.g. when the KeyStore only had 1 certificate), but now is consistent.
This required to change a number of tests that were using bogus Host headers.

However, is it ok to have sniHostCheck=true by default? For example, Google does not and behaves as if the 3 properties above are set to false.

WDYT?

@gregw
Copy link
Contributor

gregw commented Oct 9, 2020

@sbordet sounds good.
I say leave sniHostCheck=true by default as it has been that way and we don't want to change it on too many people.
As it is, his change will turn it on for some users that previously didn't have it... so that will be a surprise... but better to turn on than to turn off by surprise.

gregw
gregw approved these changes Oct 12, 2020
View reviewed changes
Copy link
Contributor

@gregw gregw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wow that was bigger than expected!

@sbordet sbordet merged commit 1cd15e8 into jetty-10.0.x Oct 12, 2020
@sbordet sbordet deleted the jetty-10.0.x-5379-better_sni_handling branch October 12, 2020 13:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gregw gregw gregw approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Better handling for wrong SNI
2 participants
@sbordet @gregw