ISPN-15069 CVE-2023-4586 Hot Rod TLS Hostname validation #11148
Conversation
tristantarrant
force-pushed
the
ISPN-15069/cluster_sni
branch
from
317c584
to
2d30c45
Compare
...ient/src/main/java/org/infinispan/client/hotrod/impl/transport/netty/ChannelInitializer.java
Outdated
Show resolved
Hide resolved
...d-client/src/main/java/org/infinispan/client/hotrod/impl/transport/netty/ChannelFactory.java
Outdated
Show resolved
Hide resolved
tristantarrant
force-pushed
the
ISPN-15069/cluster_sni
branch
from
2d30c45
to
b6ae403
Compare
|
@tristantarrant I think it needs to be rebased on top of |
| @@ -173,16 +178,26 @@ private void initSsl(Channel channel) { | |||
| throw new CacheConfigurationException(e); | |||
| } | |||
| } else { | |||
| sslContext = new JdkSslContext(ssl.sslContext(), true, ClientAuth.NONE); | |||
| sslContext = new JdkSslContext(ssl.sslContext(), true, null, IdentityCipherSuiteFilter.INSTANCE, | |||
There was a problem hiding this comment.
I think this will throw an NPE because JdkApplicationProtocolNegotiator is null. There is a null check in netty this.apn = (JdkApplicationProtocolNegotiator)ObjectUtil.checkNotNull(apn, "apn");
There was a problem hiding this comment.
You missed the fact that the overload calls toNegotiator(apn, !isClient) which, if apn is null, will use the default instance
| @@ -171,16 +176,25 @@ private void initSsl(Channel channel) { | |||
| throw new CacheConfigurationException(e); | |||
| } | |||
| } else { | |||
| sslContext = new JdkSslContext(ssl.sslContext(), true, ClientAuth.NONE); | |||
| sslContext = new JdkSslContext(ssl.sslContext(), true, null, IdentityCipherSuiteFilter.INSTANCE, | |||
tristantarrant
force-pushed
the
ISPN-15069/cluster_sni
branch
3 times, most recently
from
9adaf4d
to
f365dc8
Compare
| @@ -223,6 +224,17 @@ public SslConfigurationBuilder ciphers(String... ciphers) { | |||
| return enable(); | |||
| } | |||
|
|
|||
| /** | |||
| * Configures whether to enable hostname validation according to <a href="https://datatracker.ietf.org/doc/html/rfc2818">RFC 2818</a>. | |||
| * This is enabled by default and requires that the server certificate includes a subjectAltName extension of type dNSName or iPAddress. | |||
There was a problem hiding this comment.
I assume we're going to disable this by default on the 14.0.x branch? This could break a lot of existing deployments.
There was a problem hiding this comment.
I need to run this by PST
There was a problem hiding this comment.
PST confirms that, because this is a CVE, it needs to be enabled by default. No way around it.
| @@ -27,6 +27,7 @@ The following defaults have changed for the Hot Rod client: | |||
| * `socket_timeout` is now 2000 ms / 2 seconds (previously 60000 ms / 60 seconds) | |||
| * `max_retries` is now 3 (was 10) | |||
| * `min_evictable_idle_time` is now 180000 ms / 3 minutes (previously 1800000 ms / 30 minutes) | |||
| * `ssl_hostname_validation` is a new property and defaults to `true`. This also requires setting the `sni_hostname`. | |||
There was a problem hiding this comment.
Should we also state that the server-side certs may also have to be updated?
There was a problem hiding this comment.
Yes, I'm also going to add a warning on server startup if the certificate doesn't have the SubjectAlternativeNamesExtension
|
Good afternoon. I know you are all busy, but just want to check if there is any plan to continue moving forward with this pull request. Thanks. |
|
@tbmoomau yes, after the holiday season. |
tristantarrant
force-pushed
the
ISPN-15069/cluster_sni
branch
3 times, most recently
from
fc584fc
to
52814be
Compare
tristantarrant
changed the title
There was a problem hiding this comment.
Hey @tristantarrant, I added two suggestions. Let me know if you want me to add my commit
| Certificates should include the `subjectAltName` extension of type `dNSName` and/or `iPAddress` so that clients can correctly perform | ||
| hostname validation, according to the rules defined by the https://datatracker.ietf.org/doc/html/rfc2818[RFC 2818] specification. | ||
| The server will issue a warning if it is started with a certificate which does not include such an extension. |
There was a problem hiding this comment.
| Certificates should include the `subjectAltName` extension of type `dNSName` and/or `iPAddress` so that clients can correctly perform | |
| hostname validation, according to the rules defined by the https://datatracker.ietf.org/doc/html/rfc2818[RFC 2818] specification. | |
| The server will issue a warning if it is started with a certificate which does not include such an extension. | |
| Certificates must include the `subjectAltName` extension of the `dNSName` or `iPAddress` type, or both, to enable clients to perform hostname validation, following the rules defined by the https://datatracker.ietf.org/doc/html/rfc2818[RFC 2818] specification. | |
| If the certificate does not include this extension, the server issues a warning upon startup. |
| By default, Hot Rod clients will also perform hostname validation by matching the `dNSName` and/or `iPAddress` contained by the server certificate's `subjectAltName` extension with the expected hostname. | ||
|
|
There was a problem hiding this comment.
| By default, Hot Rod clients will also perform hostname validation by matching the `dNSName` and/or `iPAddress` contained by the server certificate's `subjectAltName` extension with the expected hostname. | |
| By default, Hot Rod clients also perform hostname validation by matching the `dNSName` or `iPAddress` or both types contained by the server certificate's `subjectAltName` extension with the expected hostname. | |
There was a problem hiding this comment.
and/or can be ambiguous and causes translation problems
* Add TLS hostname validation * Per-cluster SNI * Implict SNI if not set * Also add a method to return current cluster * JMX equivalent of above
tristantarrant
force-pushed
the
ISPN-15069/cluster_sni
branch
from
52814be
to
0c6b15e
Compare
|
Added @domiborges change and rebased. This is now ready |
|
Failures are unrelated |
ryanemerson
added
the
14.0.x
|
Thanks @tristantarrant |
https://issues.redhat.com/browse/ISPN-15069
This also enables TLS hostname validation by default according to RFC 2818, which also allows us to test it.