diff --git a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParameters.java b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParameters.java index 9ba48d7e22f..549459280f2 100644 --- a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParameters.java +++ b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParameters.java @@ -33,6 +33,7 @@ public class TLSServerParameters extends TLSParameterBase { ClientAuthentication clientAuthentication; List excludeProtocols = new ArrayList<>(); List includeProtocols = new ArrayList<>(); + boolean sniHostCheck; /** * This parameter configures the server side to request and/or @@ -83,4 +84,17 @@ public List getIncludeProtocols() { return includeProtocols; } + /** + * Returns if the SNI host name must match + */ + public boolean isSniHostCheck() { + return sniHostCheck; + } + + /** + * @param sniHostCheck if the SNI host name must match + */ + public void setSniHostCheck(boolean sniHostCheck) { + this.sniHostCheck = sniHostCheck; + } } diff --git a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java index 29f9d82dcad..e63623b2caa 100644 --- a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java +++ b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java @@ -92,6 +92,9 @@ public TLSServerParametersConfig(TLSServerParametersType params) if (params.isSetCertAlias()) { this.setCertAlias(params.getCertAlias()); } + if (params.isSetSniHostCheck()) { + this.setSniHostCheck(params.isSniHostCheck()); + } if (iparams != null && iparams.isSetKeyManagersRef()) { this.setKeyManagers(iparams.getKeyManagersRef()); } diff --git a/core/src/main/resources/schemas/configuration/security.xsd b/core/src/main/resources/schemas/configuration/security.xsd index 5f5c5379f61..9e224a80117 100644 --- a/core/src/main/resources/schemas/configuration/security.xsd +++ b/core/src/main/resources/schemas/configuration/security.xsd @@ -657,5 +657,12 @@ + + + + If the SNI host name must match. + + + diff --git a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java index ffc88195261..35a3f2b91f4 100644 --- a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java +++ b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java @@ -68,6 +68,7 @@ import org.eclipse.jetty.server.HttpConnectionFactory; import org.eclipse.jetty.server.Request; import org.eclipse.jetty.server.Response; +import org.eclipse.jetty.server.SecureRequestCustomizer; import org.eclipse.jetty.server.Server; import org.eclipse.jetty.server.ServerConnector; import org.eclipse.jetty.server.SslConnectionFactory; @@ -679,7 +680,7 @@ AbstractConnector createConnectorJetty(SslContextFactory sslcf, String hosto, in result = new org.eclipse.jetty.server.ServerConnector(server); if (tlsServerParameters != null) { - httpConfig.addCustomizer(new org.eclipse.jetty.server.SecureRequestCustomizer()); + httpConfig.addCustomizer(new SecureRequestCustomizer(tlsServerParameters.isSniHostCheck())); if (!isHttp2Enabled(bus)) { final SslConnectionFactory scf = new SslConnectionFactory(sslcf, httpFactory.getProtocol()); diff --git a/rt/transports/http-netty/netty-client/src/test/resources/org/apache/cxf/transport/http/netty/client/integration/ServerConfig.xml b/rt/transports/http-netty/netty-client/src/test/resources/org/apache/cxf/transport/http/netty/client/integration/ServerConfig.xml index 77c138bfb30..5be3543e7be 100644 --- a/rt/transports/http-netty/netty-client/src/test/resources/org/apache/cxf/transport/http/netty/client/integration/ServerConfig.xml +++ b/rt/transports/http-netty/netty-client/src/test/resources/org/apache/cxf/transport/http/netty/client/integration/ServerConfig.xml @@ -31,7 +31,7 @@ - +