Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SslContextFactory may select a wildcard certificate during SNI selection when a more specific SSL certificate is present #6034

Closed
BruceMacD opened this issue Mar 4, 2021 · 3 comments · Fixed by #6036

Comments

@BruceMacD
Copy link
Contributor

@BruceMacD BruceMacD commented Mar 4, 2021

Jetty version
Observed in jetty-9.4.35.v20201120 but the code is the same in the jetty-9.4.x branch and the jetty-10.0.x branch so it should have the same behavior.

Java version
Oracle JDK 8u281.

OS type/version
Mac OS 10.14 (this should be OS agnostic)

Description
Scenario
Hosting an application in Jetty with two certificates:

  • Certificate 1 with alias *.example.com
  • Certificate 2 with alias sub.example.com

Expected behavior
A request to sub.example.com selects certificate 2 (sub.example.com).

Actual behavior
A request to sub.example.com may select certificate 1 (*.example.com).

Details
This happens because SslContextFactory.sniSelect() returns the first certificate that matches the SNI host. If the wildcard cert happens to be stored first in the collection it will be returned with this behavior. I notice that X509.matches() checks wilds as well as hosts for a match, if there was a specific host match check in the SslContext factory before doing the more general match check then this behavior would be fixed.

This may be expected behavior, but it would be pretty simple to correct so I thought it was worth mentioning.

@sbordet
Copy link
Contributor

@sbordet sbordet commented Mar 4, 2021

@BruceMacD as a workaround, you can always set your own SNISelector on SslContextFactory to implement a more precise logic.

I agree that we should try to match the precise domain first, then wildcard domains.

sbordet added a commit that referenced this issue Mar 4, 2021
…ing SNI selection when a more specific SSL certificate is present.

Now matching certificates are sorted, non-wildcard first, so that a more specific alias is returned.

Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
@sbordet
Copy link
Contributor

@sbordet sbordet commented Mar 4, 2021

@BruceMacD can you try #6036?

@BruceMacD
Copy link
Contributor Author

@BruceMacD BruceMacD commented Mar 4, 2021

@sbordet
That change works perfectly in my case. Thanks.

@sbordet sbordet closed this in 8de7b83 Mar 8, 2021
@sbordet sbordet added this to To do in Jetty 10.0.2/11.0.2 via automation Mar 8, 2021
sbordet added a commit that referenced this issue Mar 8, 2021
…ing SNI selection when a more specific SSL certificate is present.

Now matching certificates are sorted, non-wildcard first, so that a more specific alias is returned.

Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
sbordet added a commit that referenced this issue Mar 9, 2021
…ing SNI selection when a more specific SSL certificate is present.

Now matching certificates are sorted, non-wildcard first, so that a more specific alias is returned.

Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
@sbordet sbordet moved this from To do to Done in Jetty 10.0.2/11.0.2 Mar 24, 2021
@gregw gregw added this to Done in Jetty 9.4.39 Mar 25, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
No open projects
Linked pull requests

Successfully merging a pull request may close this issue.

2 participants