Better handling for wrong SNI #5379
Assignees
Projects
Comments
|
@gregw strengthening the verifications when I don't think we should support bogus certificates like that, so I'm for do the strengthening and fix the tests. |
|
The 400 is returned from the SecureRequestCustomizer. Is that present? There's also a SNI check in SslContextFactory.Server |
sbordet
added a commit
that referenced
this issue
Oct 5, 2020
Now returning 400 when SNI does not match any certificate and SecureRequestCustomizer.sniHostCheck=true. Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
sbordet
added a commit
that referenced
this issue
Oct 8, 2020
Reworked the SNI logic. Added support for IP addresses in the SAN extension of certificates in the X509 class. Fixed keystores to have CN=localhost and SAN with ip=127.0.0.1 and ip=[::1]. Fixed tests that were not using the correct Host header. Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
sbordet
added a commit
that referenced
this issue
Oct 12, 2020
* Fixes #5379 - Better handling for wrong SNI. Reworked the SNI logic. Added support for IP addresses in the SAN extension of certificates in the X509 class. Fixed keystores to have CN=localhost and SAN with ip=127.0.0.1 and ip=[::1]. Fixed tests that were not using the correct Host header. Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
sbordet
added a commit
that referenced
this issue
May 18, 2021
Backported support for IP addresses in X509 (from #5379). Introduced SslContextFactory.Client.SniProvider to allow applications to specify the SNI names to send to the server. Improved logging of SNI processing. Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
This was referenced May 18, 2021
sbordet
added a commit
that referenced
this issue
May 21, 2021
* Fixes #6276 - Support non-standard domains in SNI and X509. Backported support for IP addresses in X509 (from #5379). Introduced SslContextFactory.Client.SniProvider to allow applications to specify the SNI names to send to the server. Improved logging of SNI processing. Skip X509 matching over IP addresses when the host does not look like an IP address, to avoid reverse DNS lookup. Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
sbordet
added a commit
that referenced
this issue
May 21, 2021
Improved support for IP addresses in X509 (after #5379). Introduced SslContextFactory.Client.SniProvider to allow applications to specify the SNI names to send to the server. Improved logging of SNI processing. Skip X509 matching over IP addresses when the host does not look like an IP address, to avoid reverse DNS lookup. Signed-off-by: Simone Bordet <simone.bordet@gmail.com> (cherry picked from commit 04df6d4)
sbordet
added a commit
that referenced
this issue
May 24, 2021
…6311) * Fixes #6276 - Support non-standard domains in SNI and X509. (#6296) Improved support for IP addresses in X509 (after #5379). Introduced SslContextFactory.Client.SniProvider to allow applications to specify the SNI names to send to the server. Improved logging of SNI processing. Skip X509 matching over IP addresses when the host does not look like an IP address, to avoid reverse DNS lookup. Signed-off-by: Simone Bordet <simone.bordet@gmail.com> (cherry picked from commit 04df6d4)
lucamilanesio
pushed a commit
to GerritCodeReview/jgit
that referenced
this issue
Nov 22, 2021
- this is the same version eclipse platform currently uses - update servlet-api to 4.0 - configure keystore used by AppServer with Subject Alternative Names for host name and ip address to satisfy more strict SNI checking in Jetty 10. See jetty/jetty.project#5379 - add jetty bundles to JGit-dependency-bundles in the jgit p2 repository Bug: 571932 Bug: 576100 Change-Id: Ibd0240cf7ad4dc201947fd69707f517c3c1fc1c8
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Jetty version
9.4.x
Description
When the client sends a wrong SNI, and
jetty.ssl.sniHostCheck=trueJetty should return a 400, but it returns 200.The text was updated successfully, but these errors were encountered: