New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ISPN-15069 CVE-2023-4586 Hot Rod TLS Hostname validation #11148
ISPN-15069 CVE-2023-4586 Hot Rod TLS Hostname validation #11148
Conversation
317c584
to
2d30c45
Compare
...ient/src/main/java/org/infinispan/client/hotrod/impl/transport/netty/ChannelInitializer.java
Outdated
Show resolved
Hide resolved
...d-client/src/main/java/org/infinispan/client/hotrod/impl/transport/netty/ChannelFactory.java
Outdated
Show resolved
Hide resolved
2d30c45
to
b6ae403
Compare
@tristantarrant I think it needs to be rebased on top of |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can't say I understand everything but it looks good to me. Waiting for the docs to give it a try (if it is urgent, it can be merged right away)
@@ -173,16 +178,26 @@ private void initSsl(Channel channel) { | |||
throw new CacheConfigurationException(e); | |||
} | |||
} else { | |||
sslContext = new JdkSslContext(ssl.sslContext(), true, ClientAuth.NONE); | |||
sslContext = new JdkSslContext(ssl.sslContext(), true, null, IdentityCipherSuiteFilter.INSTANCE, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this will throw an NPE because JdkApplicationProtocolNegotiator
is null. There is a null check in netty this.apn = (JdkApplicationProtocolNegotiator)ObjectUtil.checkNotNull(apn, "apn");
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You missed the fact that the overload calls toNegotiator(apn, !isClient)
which, if apn
is null, will use the default instance
@@ -171,16 +176,25 @@ private void initSsl(Channel channel) { | |||
throw new CacheConfigurationException(e); | |||
} | |||
} else { | |||
sslContext = new JdkSslContext(ssl.sslContext(), true, ClientAuth.NONE); | |||
sslContext = new JdkSslContext(ssl.sslContext(), true, null, IdentityCipherSuiteFilter.INSTANCE, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
possible NPE here too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same as above
9adaf4d
to
f365dc8
Compare
@@ -223,6 +224,17 @@ public SslConfigurationBuilder ciphers(String... ciphers) { | |||
return enable(); | |||
} | |||
|
|||
/** | |||
* Configures whether to enable hostname validation according to <a href="https://datatracker.ietf.org/doc/html/rfc2818">RFC 2818</a>. | |||
* This is enabled by default and requires that the server certificate includes a subjectAltName extension of type dNSName or iPAddress. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I assume we're going to disable this by default on the 14.0.x branch? This could break a lot of existing deployments.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I need to run this by PST
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PST confirms that, because this is a CVE, it needs to be enabled by default. No way around it.
@@ -27,6 +27,7 @@ The following defaults have changed for the Hot Rod client: | |||
* `socket_timeout` is now 2000 ms / 2 seconds (previously 60000 ms / 60 seconds) | |||
* `max_retries` is now 3 (was 10) | |||
* `min_evictable_idle_time` is now 180000 ms / 3 minutes (previously 1800000 ms / 30 minutes) | |||
* `ssl_hostname_validation` is a new property and defaults to `true`. This also requires setting the `sni_hostname`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we also state that the server-side certs may also have to be updated?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I'm also going to add a warning on server startup if the certificate doesn't have the SubjectAlternativeNamesExtension
Good afternoon. I know you are all busy, but just want to check if there is any plan to continue moving forward with this pull request. Thanks. |
@tbmoomau yes, after the holiday season. |
fc584fc
to
52814be
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @tristantarrant, I added two suggestions. Let me know if you want me to add my commit
Certificates should include the `subjectAltName` extension of type `dNSName` and/or `iPAddress` so that clients can correctly perform | ||
hostname validation, according to the rules defined by the https://datatracker.ietf.org/doc/html/rfc2818[RFC 2818] specification. | ||
The server will issue a warning if it is started with a certificate which does not include such an extension. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Certificates should include the `subjectAltName` extension of type `dNSName` and/or `iPAddress` so that clients can correctly perform | |
hostname validation, according to the rules defined by the https://datatracker.ietf.org/doc/html/rfc2818[RFC 2818] specification. | |
The server will issue a warning if it is started with a certificate which does not include such an extension. | |
Certificates must include the `subjectAltName` extension of the `dNSName` or `iPAddress` type, or both, to enable clients to perform hostname validation, following the rules defined by the https://datatracker.ietf.org/doc/html/rfc2818[RFC 2818] specification. | |
If the certificate does not include this extension, the server issues a warning upon startup. |
By default, Hot Rod clients will also perform hostname validation by matching the `dNSName` and/or `iPAddress` contained by the server certificate's `subjectAltName` extension with the expected hostname. | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
By default, Hot Rod clients will also perform hostname validation by matching the `dNSName` and/or `iPAddress` contained by the server certificate's `subjectAltName` extension with the expected hostname. | |
By default, Hot Rod clients also perform hostname validation by matching the `dNSName` or `iPAddress` or both types contained by the server certificate's `subjectAltName` extension with the expected hostname. | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and/or can be ambiguous and causes translation problems
* Add TLS hostname validation * Per-cluster SNI * Implict SNI if not set * Also add a method to return current cluster * JMX equivalent of above
52814be
to
0c6b15e
Compare
Added @domiborges change and rebased. This is now ready |
Failures are unrelated |
Thanks @tristantarrant |
https://issues.redhat.com/browse/ISPN-15069
This also enables TLS hostname validation by default according to RFC 2818, which also allows us to test it.