fix: handle invalid ServerNames during SSL handshake (getfider#689)

Author: goenning

app/pkg/web/ssl.go

@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"strings"
 
+	"github.com/getfider/fider/app/pkg/env"
 	"github.com/getfider/fider/app/pkg/errors"
 	"github.com/goenning/sqlcertcache"
 	"golang.org/x/crypto/acme/autocert"
@@ -78,12 +79,23 @@ func NewCertificateManager(certFile, keyFile string, conn *sql.DB) (*Certificate
 //Otherwise fallsback to a automatically generated certificate by Let's Encrypt
 func (m *CertificateManager) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
 	if m.leaf != nil {
-		//skip autoSSL is ServerName is empty or does't contain a dot
-		skipAutoCert := hello.ServerName == "" || !strings.Contains(strings.Trim(hello.ServerName, "."), ".")
-		if skipAutoCert || m.leaf.VerifyHostname(hello.ServerName) == nil {
+		serverName := strings.Trim(strings.ToLower(hello.ServerName), ".")
+
+		// If ServerName is empty or does't contain a dot, just return the certificate
+		if serverName == "" || !strings.Contains(serverName, ".") {
 			return &m.cert, nil
 		}
+
+		if env.IsSingleHostMode() {
+			return &m.cert, nil
+		} else if strings.HasSuffix(serverName, env.MultiTenantDomain()) {
+			if m.leaf.VerifyHostname(serverName) == nil {
+				return &m.cert, nil
+			}
+			return nil, errors.New(`ssl: invalid server name "%s"`, serverName)
+		}
 	}
+
 	return m.autossl.GetCertificate(hello)
 }
 

app/pkg/web/ssl_test.go

@@ -0,0 +1,73 @@
+package web
+
+import (
+	"crypto/tls"
+	"testing"
+
+	"github.com/getfider/fider/app/pkg/dbx"
+	"github.com/getfider/fider/app/pkg/env"
+
+	. "github.com/getfider/fider/app/pkg/assert"
+)
+
+func Test_GetCertificate(t *testing.T) {
+	RegisterT(t)
+	db := dbx.New()
+	defer db.Close()
+
+	var testCases = []struct {
+		mode       string
+		cert       string
+		serverName string
+		valid      bool
+	}{
+		{"multi", "all-test-fider-io", "", true},
+		{"multi", "all-test-fider-io", "fider", true},
+		{"multi", "all-test-fider-io", "feedback.test.fider.io", true},
+		{"multi", "all-test-fider-io", "FEEDBACK.test.fider.io", true},
+		{"multi", "all-test-fider-io", "app.feedback.test.fider.io", false},
+		{"multi", "all-test-fider-io", "my.app.feedback.test.fider.io", false},
+		{"single", "test-fider-io", "test.fider.io", true},
+		{"single", "test-fider-io", "fider.io", true},
+	}
+
+	for _, testCase := range testCases {
+		env.Config.HostMode = testCase.mode
+		certFile := env.Path("/app/pkg/web/testdata/" + testCase.cert + ".crt")
+		keyFile := env.Path("/app/pkg/web/testdata/" + testCase.cert + ".key")
+		wildcardCert, _ := tls.LoadX509KeyPair(certFile, keyFile)
+
+		manager, err := NewCertificateManager(certFile, keyFile, db.Connection())
+		Expect(err).IsNil()
+		cert, err := manager.GetCertificate(&tls.ClientHelloInfo{
+			ServerName: testCase.serverName,
+		})
+
+		if testCase.valid {
+			Expect(err).IsNil()
+			Expect(cert.Certificate).Equals(wildcardCert.Certificate)
+		} else {
+			Expect(cert).IsNil()
+			Expect(err.Error()).ContainsSubstring(`ssl: invalid server name "` + testCase.serverName + `"`)
+		}
+	}
+}
+
+func Test_UseAutoCert(t *testing.T) {
+	RegisterT(t)
+	db := dbx.New()
+	defer db.Close()
+
+	manager, err := NewCertificateManager("", "", db.Connection())
+	Expect(err).IsNil()
+
+	invalidServerNames := []string{"ideas.app.com", "feedback.mysite.com"}
+
+	for _, serverName := range invalidServerNames {
+		cert, err := manager.GetCertificate(&tls.ClientHelloInfo{
+			ServerName: serverName,
+		})
+		Expect(err.Error()).Equals(`acme/autocert: unable to authorize "` + serverName + `"; tried ["tls-sni-02" "tls-sni-01"]`)
+		Expect(cert).IsNil()
+	}
+}

app/pkg/web/testdata/all-test-fider-io.crt

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/zCCAeegAwIBAgIQZvBk7RY1LHb59JC6cX5SCzANBgkqhkiG9w0BAQsFADAS
+MRAwDgYDVQQKEwdBY21lIENvMB4XDTE4MTIxODE5NDI1N1oXDTI4MTIxNTE5NDI1
+N1owEjEQMA4GA1UEChMHQWNtZSBDbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBANCVxVI/JkWjWoRgssk8A/94/E6xHkyBYU7ioDNSSYD5+/wtY3B9NrLV
+bKM8XZ5Sjv8OztoDA0BPaPGm3vxWBudo+qGsdnlgT9zFafw/lvlaiBWX2tsYf1ef
+7pgMfDZusJbep1bWq73TgjRUQRIeYSmjeUOjYISVLOkS0TcpDCNQ0Ps5fg2DElBE
+1oxAKCFE+j5gIv7GhqmM8Y/J85Lt1yqypo4XDAYkBrrZJ6ZVE4vvsyLT1ReDM7YT
+bIHXAyCOCGJT/WKtkQJuj8+/M2H2Ft7T+fOEIgbI7+AK7IqVh4Dtodn0m16RKfPX
+GurQUhG7KgKTQmYj7v20xNuoHU60LIMCAwEAAaNRME8wDgYDVR0PAQH/BAQDAgWg
+MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwGgYDVR0RBBMwEYIP
+Ki50ZXN0LmZpZGVyLmlvMA0GCSqGSIb3DQEBCwUAA4IBAQBqIgulNv4pzYkf8bLU
+e05N/pkESkWNEtUSEvGkMCh6I8pG+rn7TWvaJpj0mGDUHb9A+ZpT2jnDSr/TOsPu
+iUHjfqybg1zYIJ+ShSoWviEV9zKM57brjfTjP1onQvc4UOW5FrlodLkyCkFRuUHm
+M0M+3IDgk83g3Z0Pi3IdToSRXpVSQtACX/r87fontBAsv54SBGlnIlSxNIPCxaws
+EwpAh05MwuMFx13Nb23ns0dvN/4t5h6Mvim2++p9tjC+mceSbs3ebWIJYxRfCQ8S
+UbpGjlUro6BvEcqmx/3akF+1gzEB+FulEf94Ib/DLQi9vq9GXYFYtS2Wi9yIU1RG
+Dm8e
+-----END CERTIFICATE-----

app/pkg/web/testdata/all-test-fider-io.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA0JXFUj8mRaNahGCyyTwD/3j8TrEeTIFhTuKgM1JJgPn7/C1j
+cH02stVsozxdnlKO/w7O2gMDQE9o8abe/FYG52j6oax2eWBP3MVp/D+W+VqIFZfa
+2xh/V5/umAx8Nm6wlt6nVtarvdOCNFRBEh5hKaN5Q6NghJUs6RLRNykMI1DQ+zl+
+DYMSUETWjEAoIUT6PmAi/saGqYzxj8nzku3XKrKmjhcMBiQGutknplUTi++zItPV
+F4MzthNsgdcDII4IYlP9Yq2RAm6Pz78zYfYW3tP584QiBsjv4ArsipWHgO2h2fSb
+XpEp89ca6tBSEbsqApNCZiPu/bTE26gdTrQsgwIDAQABAoIBABzv6kQSxrh6hSBA
+Wg1Y6iUTH826/L0YZeuPvTHhhJkEFVVS5qzAcko1GbE7urEwOu5fm4rbSCQv4BtG
+T0EqniKUidDMIFOObQXvzVhVahiF2sNEIfSrXV9GrM8jTEgw6wbDNOvzNDhNk462
+8aAV3tzr9PLRQ56hI23iUmwYobp0R57S+FOrTIBFOIwG0TcDKUQckGQ4xhubqkuW
+5YoRYq9AVZXekuYQUh+Qq0HF1dhZY4haafE+5cWkCa3W8fXsOg56l77gLNLeA1UW
+28wIc5cGihIab3PMj38ff5xflq7fMbuubEsA9mQfRY7n5C7Fek0E31fma/MG6sLh
+LL+QG0ECgYEA8IIj7C7H1IJncm1u9/96faC/gXuqQWTqstS6reU1YC9Gh/B3qlvO
+yOOzxR4xhme/d1wEoxyqeOJWsWdf9Qec+qh5mkVoQ6S32YzOe44ph/Shb0bU5Cb+
+GGQCXQfoh3PsRHIkLlcuKtIDhs6GtjMKFUse6m0p8eKIy8PQZeN5NckCgYEA3gU7
+NgFRevjzx99QTvCs27Fl8DdHrcZUXdYrSM4TG5/FolOfXCDzXSdevrRB+KNdgz7Q
+e2wDN7b3ba0WUIXKMrQ0Fnyq5lb9J3nz9ZPuzq0YCynMXj9pcI2E0sCHv1V74qyf
+4nVGWac99pjsmuTW5KrdE3lSLfH7fkeZG0w75esCgYB18pzDWz3MzhcFWv2sybG8
+onTIf2lDoMYo5YKXfWzrusOQLzHAbj2+70xeQyxuibqwQoRTqd9AYV+6qMO6Wv11
+P+JC8f7sDX/MRO2OUm2zqxjwhYAqU6URORqfnR1AMG2SM5fi0gZmIZBxMB+IgwdS
+4gBLXzXO1hXYODOfhCsRYQKBgQCDouRlc8ikucCIjB4of8hthbPkBlKodMQG0vnc
+89oecc+THDOLQzonzDT/qw7GZc4HCBJCa1tJCGGRlKN7YKfvAisz/fyyD3ePlV4R
+CAH6ZmSwEbtLUhupES9kaaTSy9NlJWaytUfd1iwF7suyVuYWtDvZ1P/ln+i2Cat8
+pOmKuwKBgGhumPyDVTr9a/e69gfkYgkFCaRsTTna6G73gYdBUrAprfPCdh8rr+r9
+HZc4TACJ3mWqLaFxQFhTpkeGI2R0T1P6/axMjdHdYWKtEGrb9WZT17LyLlU1KpoB
+zwMIzeK2FjaZcF6pZBvC74crTlO2N+HNNY7SJVZgZuy1c/3FieXi
+-----END RSA PRIVATE KEY-----

app/pkg/web/testdata/test-fider-io.crt

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/jCCAeagAwIBAgIRANUSMa4sYILX7j43vG350C8wDQYJKoZIhvcNAQELBQAw
+EjEQMA4GA1UEChMHQWNtZSBDbzAeFw0xODEyMTgxOTQzMTZaFw0yODEyMTUxOTQz
+MTZaMBIxEDAOBgNVBAoTB0FjbWUgQ28wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDBo7fJiYGczbuoWWV/PlxGkDRny3gT6+OyRK2VE4DonktgfOJpdeJo
+ehLPYvAN0OZeuMrkz/6Rp9OqzmYUpyY3ah5s/sjTxz4f2ApATUNhYVqMrdWd6TKE
+M+kUY8sF2DGZSM1PhitksRvSuuRaw+GukpPydeEqgCZCZRDLmZuL4fOkvc4VnRtw
+mTjHY+AQykbcKvMe7PDDx9ZR54njGnkcVgHICuIH10RrVsidDqzCDJD+iIyDLHLA
+zV3jsRQTSfF5KiCpxie8VcflQEDj2hdmUFDWR8fRjqsDznL/DdUaH6HQyvoo/Fg5
+IdD6eiFvzeqxUhXryG/cQwwHRRL8bGTlAgMBAAGjTzBNMA4GA1UdDwEB/wQEAwIF
+oDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMBgGA1UdEQQRMA+C
+DXRlc3QuZmlkZXIuaW8wDQYJKoZIhvcNAQELBQADggEBACgpyFNP1i2ccF3BqPqm
+PrJZ/kHrLu72rWXGL/0RE1ukYsdy/SLM4yzHHcf3LUSFxg1vKeuygcN3jQVxPP3K
+/JLBhOdwHS67cPAvyBkXEFU3K3DzZCcHShpLe3Ry2fxYsRASFK2uNNTpPIQabB9T
+ZfiHp5X6Hgs85OKUUG+xJXKu6yFw9TMe0qtGXOU1dW3wnZxtX8h+0CF0phH61SQj
+rlqcJNPBDagcFFOmvol5tFyc8JqSJ6CGtNJjoaTo17rOM5WbCiU5lhDayMT5eIF1
+Sk7UtXfDG0MT7hm4P5+hxhepnlSxB0PqrTWa4iL9la0FHm+3IUIjlIckS8qNGpTg
+Guw=
+-----END CERTIFICATE-----

app/pkg/web/testdata/test-fider-io.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAwaO3yYmBnM27qFllfz5cRpA0Z8t4E+vjskStlROA6J5LYHzi
+aXXiaHoSz2LwDdDmXrjK5M/+kafTqs5mFKcmN2oebP7I08c+H9gKQE1DYWFajK3V
+nekyhDPpFGPLBdgxmUjNT4YrZLEb0rrkWsPhrpKT8nXhKoAmQmUQy5mbi+HzpL3O
+FZ0bcJk4x2PgEMpG3CrzHuzww8fWUeeJ4xp5HFYByAriB9dEa1bInQ6swgyQ/oiM
+gyxywM1d47EUE0nxeSogqcYnvFXH5UBA49oXZlBQ1kfH0Y6rA85y/w3VGh+h0Mr6
+KPxYOSHQ+nohb83qsVIV68hv3EMMB0US/Gxk5QIDAQABAoIBAQCQ8l0jljOYTYQY
+G3rXSbXG+DDSNUNYHi4eBjytJ6FJ/xvLSRAuAxkMPbyQ0q2AmgungcoWhv82xpqx
+87gD466+ske+LOXlaPI+4feidHNolHg0b/dEMggnX7gsFBsn79IIvK86xOL8h3qd
+Plqq+o+Xno7yYny+1JhPANoWnZAKnzXmlwlSAEp/1mFRqsAvJn55Oq6dAUS8WkI/
+WGPuJjhAf/RjYwaror7SzUjMX2XD3gKllpPxLZMdX1NJW7bQHHVh91npYN0zjudK
+wFK2zPO5W9Gh4WWwy6MfZ8XkDohgoBxQ0cqi0yS1Hq79TvPuKH0vcJ1d6Te3GSiv
+BE7DJ81NAoGBANtqwtmUPgYqLU1l6VocTQV7XJUs0r6PnlGA1EY6qO+x5tQ+rKn8
+EDd410+jtvRjD/MsdTURs50RPUrpfhrhtFfOw9O5C3k3XnwirRcVDGrEOCSavKUm
+yZt/QWr1WqYVTndHveaMiaMF9a2cI+pM+qPImx/6NwMrgXH04qhAnYv/AoGBAOHs
+tiPoxsPoqFpoWdSk46HeQDp+T7petT58Iw3FD38JrFv1Nwc+v7dfbTnP4ZxqIm6D
+NAQ8oKpWL0OH+nUAaOg6Cbn3CMRh4yH7sptphADQqn35uTIHcnrEOgKQjVe3aOGu
+bhhXTMm6T9DgMovV61UFH/N7pkzZ6iJq8j+HJV8bAoGAVQrPFLexRoBoaJw8UpGv
+hJVor+TclcFicmKFY+bufWCtf8v+7i9lNarfgN2KVrRihTTRBM2kmRcKc5OGLfMX
+DAV2vwP0n3nHZEOoZM7irir5O67BuR0MfPlYqJUKGl8dt3uV7drAqe/wZeajwPcv
+GfXxsfYwBkmBdWKdyuqoZY8CgYEA2aMrjwoluAH/dCBEMSmqs3sjinW1nkav+IKj
+TheApxONe4SMvyj+jMqbsO6GWySPCMDRsicpaw3dOAPdDSsY5GVMi13jjzLxGAKc
++0O5SwO4yeRwODaeXI99hozz7AUePxHGsyIeMdKOIxxm9PhdXKi0L9z0xeHCv+cg
+eHxbTvMCgYASVKcG5BR7SR3YEseqInETJpn+sW2fU3VeuAaHwDYjQRbUr1iK5wAK
+6cd0ixQ9kmDHxl/26ZepHrsy2aT5+KE2ukqtZ4MP5njNCYW4kjHcDfDTqbHB0Mc0
+aZND9j/jF6hPsB9h2r1L7FNHdF9nAbtUtJ9ZRMOt4QFLzuCBWQ3Flg==
+-----END RSA PRIVATE KEY-----

etc/all-dev-fider-io.crt

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/jCCAeagAwIBAgIQPHy+qrjWAli48X78lKnSPDANBgkqhkiG9w0BAQsFADAS
+MRAwDgYDVQQKEwdBY21lIENvMB4XDTE4MTIxOTA3MDIwOFoXDTI4MTIxNjA3MDIw
+OFowEjEQMA4GA1UEChMHQWNtZSBDbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAMaY5Tu7pDE5Ae9ZTikVUTdy16wNh6E73coZtyekxIXYfIw3j0rw1Z+S
+hc8mt6RmTYJzCLPQF7wX1hBMlq5KNlYxomfkfT7qaHSSTr6FZuZiH8kiCIG1dF/i
+tMkVP7c+sBfqr3BnXqjMQRX2gidR8DQcX44VvIX9ivQBvbHEZ8UFXbyIp2/Bm0+G
+GXPQHO8EHI74biiAW1FdqNpWFkTvsmy4mVgB3pWH2ZUdIbKyHo2IBQ0it1dmu3kd
+EUU3Wc1GPa5u+0/9cxrmnhnZXGSXKQzcbcACTNmaWPLR0QLFkK4TDfOeiT4OelUr
+VglxPod189LrKbr3ij56dtWXcIqz1BcCAwEAAaNQME4wDgYDVR0PAQH/BAQDAgWg
+MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwGQYDVR0RBBIwEIIO
+Ki5kZXYuZmlkZXIuaW8wDQYJKoZIhvcNAQELBQADggEBAEsj9hvQzeOBqVcfGVYM
+BFck5KWRlzDO/4w113IXVqCyqeIyp3sRmD57Td5KSirZ2Ypj6zx9XrUipGth+sd2
+tp5TqASDoAmaABLlFnKbXM9re4+knbHOZsbvV8fZiJqm3VHHFc33E5zBBkRx9OP0
+YmguZ5+y3jiNNdJp3oyZ6kjHM1ESAqYhY6lE2Lqt40e0ISenJ6ZsushGYwLbvR4U
+gLnGZPOP6JsCUFnX7deNyHLFJdB3BVoY9X788/LwDXmgDeL0uDUT5w4hQD9RWOeb
+Q9A3hpY7t+HP8YJFacDqx0z3MpsshipQ3x+vkIFWndUolfbalvcUQeP5Fh+geLGf
+0+U=
+-----END CERTIFICATE-----

etc/all-dev-fider-io.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAxpjlO7ukMTkB71lOKRVRN3LXrA2HoTvdyhm3J6TEhdh8jDeP
+SvDVn5KFzya3pGZNgnMIs9AXvBfWEEyWrko2VjGiZ+R9PupodJJOvoVm5mIfySII
+gbV0X+K0yRU/tz6wF+qvcGdeqMxBFfaCJ1HwNBxfjhW8hf2K9AG9scRnxQVdvIin
+b8GbT4YZc9Ac7wQcjvhuKIBbUV2o2lYWRO+ybLiZWAHelYfZlR0hsrIejYgFDSK3
+V2a7eR0RRTdZzUY9rm77T/1zGuaeGdlcZJcpDNxtwAJM2ZpY8tHRAsWQrhMN856J
+Pg56VStWCXE+h3Xz0uspuveKPnp21ZdwirPUFwIDAQABAoIBAQCvrQ6ScWFEHY6l
+oJUwaGgIqbE4xFsm+GMwZOEM04b4c1FxY7CA9VuzJZTycuheKBUGgSXAkiJ8w4Ub
+s/RSxtkcFBn61zcnkYnHHKlFhZJJ16EQdeeafd4s98k+W2qaeXyiG3sH7pjgrpYg
+jIgDqkrWfgbVFEtJJ8hkIqof94Jn189bgBHjgiruXw3fv9S+HxNV7Jeq227l5SFA
+fD/mx7c1XY7tnebzGYbgTFvgAl9zyYqrdWOg0dvAI860dQDTCJVY5YlGKEf/2wut
+VFjsxx6TcKP1YurPK7FLuzLLImfykyr/HGuvqPMUU3OZMNQylYy2cMLm7XRNiOh0
+cpvAlSQhAoGBAPnAsyM2cs86TdXgadisSmi9XiqoUCheOIgLWE2psQDiDHJRmiwi
+xbQUySpt2ks5NEjT9D743xYnXG/groB9dsOs/GHteFkNjDmooktEp3nXIHw3IbrD
+w5ZuT1axhUSKXQGHq0D/xe7/tL8/4/hR515lZkGKkuFs3W/TKmuKVCPxAoGBAMuQ
+nqk+aGleXk4wHEShvNOqdfi76GO674F/6z+j0VgKePr0PlFsWVB5AWbpx0FU96iK
+u7BLiP+5mzl27GcnL/BqHfW3mP6VwQlRzhi8s/+MpDqHTkSvFZUBia/CzKaAR7Gl
+9H9ZKy4WanM+59LtX0jDqVTxpZbNXCiaivDBAuCHAoGBAJ6/zt3uCRIRlFIDQCRa
+dz2WSNnCfJj8MuC+nVVYLEtMY+7yUZYGUDaEE84lX2D7LnGwUAsK8/pH8KioXyML
+HMeKGC5C3IF2bBBmUSqYq/91L4/lF0p4jsT6vvFzCyui6zVCwCcjrPOak5ARE13O
+6csFlvbIF060fRhMWCVdGthxAoGAaR+CD/x+hwuIv+/waTDtBpHc4lqHpBkBXmrk
+3bSHg2PFHjPLitjdNsWGh9LqZz6ttogObPhVA1qiYoabhpmiFBF470+k3rQPP/TS
+7ctlWO8UUHVXYfjYuF5W8EE01jcgzwjYvnsZ5W8GAgXWSgLzVexVIdy4mqvqj71f
+Sv0hszkCgYAmSGhDQLl2EHyRtLZx3U+mvEUR+bfxelae5Mt5CbZ1E8+5Rk1ZYOEL
+4pfM7wt5EP3VarzCv+7xFDTXE2fBZ/jQfqLXpLPolMgWVDLNUIH21J+R8NxAdBi4
+k1Qw/HpGwRaj1z45tMz9YnNEJsP/SbTWjZBKpDCccgfiqQ07t8mmjw==
+-----END RSA PRIVATE KEY-----