Skip to content

Commit

Permalink
[CONJ-511] Add trace logs on SSL hostname verification
Browse files Browse the repository at this point in the history
  • Loading branch information
@rusher
rusher committed Aug 22, 2017
1 parent d4ae2a2 commit cabb917
Show file tree
Hide file tree
Showing 3 changed files with 42 additions and 32 deletions.
4 changes: 2 additions & 2 deletions src/main/java/org/mariadb/jdbc/internal/protocol/AbstractConnectProtocol.java
View file
Expand Up @@ -696,13 +696,13 @@ private void handleConnectionPhases(String host) throws SQLException {
if (!options.disableSslHostnameVerification && !options.trustServerCertificate) {
HostnameVerifierImpl hostnameVerifier = new HostnameVerifierImpl();
SSLSession session = sslSocket.getSession();
if (!hostnameVerifier.verify(host, session)) {
if (!hostnameVerifier.verify(host, session, serverThreadId)) {

//Use proprietary verify method in order to have an exception with a better description of error.
try {
Certificate[] certs = session.getPeerCertificates();
X509Certificate cert = (X509Certificate) certs[0];
hostnameVerifier.verify(host, cert);
hostnameVerifier.verify(host, cert, serverThreadId);
} catch (SSLException ex) {
throw new SQLNonTransientConnectionException("SSL hostname verification failed : " + ex.getMessage()
+ "\nThis verification can be disable using the option \"disableSslHostnameVerification\" "
Expand Down
34 changes: 22 additions & 12 deletions src/main/java/org/mariadb/jdbc/internal/protocol/tls/HostnameVerifierImpl.java
View file
Expand Up @@ -138,10 +138,15 @@ private SubjectAltNames getSubjectAltNames(X509Certificate cert) throws Certific

@Override
public boolean verify(String host, SSLSession session) {
return verify(host, session, -1);
}


public boolean verify(String host, SSLSession session, long serverThreadId) {
try {
Certificate[] certs = session.getPeerCertificates();
X509Certificate cert = (X509Certificate) certs[0];
verify(host, cert);
verify(host, cert, serverThreadId);
return true;
} catch (SSLException ex) {
if (logger.isDebugEnabled()) logger.debug(ex.getMessage(), ex);
Expand All @@ -152,11 +157,12 @@ public boolean verify(String host, SSLSession session) {
/**
* Verification that throw an exception with a detailed error message in case of error.
*
* @param host hostname
* @param cert certificate
* @param host hostname
* @param cert certificate
* @param serverThreadId server thread Identifier to identify connection in logs
* @throws SSLException exception
*/
public void verify(String host, X509Certificate cert) throws SSLException {
public void verify(String host, X509Certificate cert, long serverThreadId) throws SSLException {
String normalizedHost = host.toLowerCase(Locale.ROOT);
try {
//***********************************************************
Expand All @@ -173,9 +179,9 @@ public void verify(String host, X509Certificate cert) throws SSLException {
if (Utils.isIPv4(host)) {
for (GeneralName entry : subjectAltNames.getGeneralNames()) {
if (logger.isTraceEnabled()) {
logger.trace("IPv4 verification of hostname : type=" + entry.extension
+ " value=" + entry.value
+ " to " + host);
logger.trace("Conn: " + serverThreadId + ". IPv4 verification of hostname : type=" + entry.extension
+ " value=\"" + entry.value
+ "\" to \"" + host + "\"");
}

if (entry.extension == Extension.IP) { //IP
Expand All @@ -189,9 +195,9 @@ public void verify(String host, X509Certificate cert) throws SSLException {
String normalisedHost = normaliseAddress(host);
for (GeneralName entry : subjectAltNames.getGeneralNames()) {
if (logger.isTraceEnabled()) {
logger.trace("IPv6 verification of hostname : type=" + entry.extension
+ " value=" + entry.value
+ " to " + host);
logger.trace("Conn: " + serverThreadId + ". IPv6 verification of hostname : type=" + entry.extension
+ " value=\"" + entry.value
+ "\" to \"" + host + "\"");
}
if (entry.extension == Extension.IP) { //IP
if (!Utils.isIPv4(entry.value)) {
Expand All @@ -208,7 +214,7 @@ public void verify(String host, X509Certificate cert) throws SSLException {
//***********************************************************
for (GeneralName entry : subjectAltNames.getGeneralNames()) {
if (logger.isTraceEnabled()) {
logger.trace("DNS verification of hostname : type=" + entry.extension
logger.trace("Conn: " + serverThreadId + ". DNS verification of hostname : type=" + entry.extension
+ " value=" + entry.value
+ " to " + host);
}
Expand Down Expand Up @@ -239,7 +245,11 @@ public void verify(String host, X509Certificate cert) throws SSLException {
}

String normalizedCn = cn.toLowerCase(Locale.ROOT);

if (logger.isTraceEnabled()) {
logger.trace("Conn: " + serverThreadId + ". DNS verification of hostname :"
+ " CN=" + normalizedCn
+ " to " + normalizedHost);
}
if (!matchDns(normalizedHost, normalizedCn)) {
String errorMsg = normalizedHostMsg(normalizedHost) + " doesn't correspond to certificate CN \"" + normalizedCn + "\"";
if (!subjectAltNames.isEmpty()) errorMsg += " and " + subjectAltNames.toString();
Expand Down
36 changes: 18 additions & 18 deletions src/test/java/org/mariadb/jdbc/internal/protocol/tls/HostnameVerifierImplTest.java
View file
Expand Up @@ -23,7 +23,7 @@ private static X509Certificate getCertificate(String certString) throws Certific

private void verifyExceptionEqual(String host, X509Certificate cert, String exceptionMessage) {
try {
verifier.verify(host, cert);
verifier.verify(host, cert, -1);
fail("must have failed");
} catch (SSLException exception) {
assertEquals(exceptionMessage, exception.getMessage());
Expand Down Expand Up @@ -62,7 +62,7 @@ private void verifyExceptionEqual(String host, X509Certificate cert, String exce
+ "UEjb+vAN7FxXzXzH4oqIeycnxP+/MA82iieew7nlOMlYrppM6igjP0CUzw4ys6lG\n"
+ "8QdWBcm2Ybo4XFjOnC98VlQl+WBu4CiToxjGphDmsMIO3Hf5PSTRwTKxtuWn45Y=\n"
+ "-----END CERTIFICATE-----\n");
verifier.verify("test.com", cert);
verifier.verify("test.com", cert, -1);
verifyExceptionEqual("a.test.com", cert, "DNS host \"a.test.com\" doesn't correspond to "
+ "certificate CN \"test.com\"");
verifyExceptionEqual("other.com", cert, "DNS host \"other.com\" doesn't correspond to "
Expand Down Expand Up @@ -92,7 +92,7 @@ private void verifyExceptionEqual(String host, X509Certificate cert, String exce
+ "x51XCozrD1yW9JK/YyBnjYk04iEfQLW7+pGMJOcsX7x9EGwpEg1gsDg2mM0EEIwU\n"
+ "d6DHlYvpD9JkzyEScg8Supztoc2aGbGE4SHBKB1riTLBAHWqqwas4sGSgZxu\n"
+ "-----END CERTIFICATE-----\n");
verifier.verify("\uD83D\uDE0E.com", cert);
verifier.verify("\uD83D\uDE0E.com", cert, -1);
verifyExceptionEqual("a.\uD83D\uDE0E.com", cert, "DNS host \"a.\uD83D\uDE0E.com\" doesn't "
+ "correspond to certificate CN \"\uD83D\uDE0E.com\"");

Expand Down Expand Up @@ -133,13 +133,13 @@ private void verifyExceptionEqual(String host, X509Certificate cert, String exce

verifyExceptionEqual("mariadb.org", cert, "DNS host \"mariadb.org\" doesn't correspond to certificate "
+ "CN \"*.mariadb.org\" and SAN[{DNS:\"other.org\"},{DNS:\"www.other.org\"}]");
verifier.verify("a.mariadb.org", cert);
verifier.verify("a.mariadb.org", cert, -1);
verifyExceptionEqual("a.other2.org", cert, "DNS host \"a.other2.org\" doesn't correspond to certificate "
+ "CN \"*.mariadb.org\" and SAN[{DNS:\"other.org\"},{DNS:\"www.other.org\"}]");
verifier.verify("other.org", cert);
verifier.verify("other.org", cert, -1);
verifyExceptionEqual("a.other.org", cert, "DNS host \"a.other.org\" doesn't correspond to certificate "
+ "CN \"*.mariadb.org\" and SAN[{DNS:\"other.org\"},{DNS:\"www.other.org\"}]");
verifier.verify("www.other.org", cert);
verifier.verify("www.other.org", cert, -1);
}

@Test public void verifySubjectAltOnly() throws Exception {
Expand Down Expand Up @@ -170,7 +170,7 @@ private void verifyExceptionEqual(String host, X509Certificate cert, String exce
+ "qAVqixM+J0qJmQStgAc53i2aTMvAQu3A3snvH/PHTBo+5UL72n9S1kZyNCsVf1Qo\n"
+ "n8jKTiRriEM+fMFlcgQP284EBFzYHyCXFb9O/hMjK2+6mY9euMB1U1aFFzM/Bg==\n"
+ "-----END CERTIFICATE-----\n");
verifier.verify("foo.com", cert);
verifier.verify("foo.com", cert, -1);
verifyExceptionEqual("a.foo.com", cert, "CN not found in certificate principal "
+ "\"EMAILADDRESS=juliusdavies@gmail.com, OU=test certificates, O=httpcomponents, L=Forest Hill, "
+ "ST=Maryland, C=US\" and DNS host \"a.foo.com\" doesn't correspond to SAN[{DNS:\"foo.com\"}]");
Expand Down Expand Up @@ -200,7 +200,7 @@ private void verifyExceptionEqual(String host, X509Certificate cert, String exce
+ "A94gKVaU6XS6EdDGc6oSfKAR/pqKnWAmDc0ofvYniojquzm4fUO3JgzXN/xTDPUc\n"
+ "GiY3dV92GD9wZfbUWsQRzLizRzIrsvZfCn/LLeUvOQPuCCeLzIxD\n"
+ "-----END CERTIFICATE-----\n");
verifier.verify("test1.org", cert);
verifier.verify("test1.org", cert, -1);
verifyExceptionEqual("test2.org", cert, "DNS host \"test2.org\" doesn't correspond to "
+ "certificate CN \"test1.org\"");
}
Expand Down Expand Up @@ -235,8 +235,8 @@ private void verifyExceptionEqual(String host, X509Certificate cert, String exce
+ "-----END CERTIFICATE-----\n");
verifyExceptionEqual("foo.com", cert, "DNS host \"foo.com\" doesn't correspond to certificate "
+ "CN \"*.foo.com\"");
verifier.verify("www.foo.com", cert);
verifier.verify("\u82b1\u5b50.foo.com", cert);
verifier.verify("www.foo.com", cert, -1);
verifier.verify("\u82b1\u5b50.foo.com", cert, -1);
verifyExceptionEqual("a.b.foo.com", cert, "DNS host \"a.b.foo.com\" doesn't correspond to "
+ "certificate CN \"*.foo.com\"");
}
Expand Down Expand Up @@ -270,8 +270,8 @@ private void verifyExceptionEqual(String host, X509Certificate cert, String exce
+ "UGPLEUDzRHMPHLnSqT1n5UU5UDRytbjJPXzF+l/+WZIsanefWLsxnkgAuZe/oMMF\n"
+ "EJMryEzOjg4Tfuc5qM0EXoPcQ/JlheaxZ40p2IyHqbsWV4MRYuFH4bkM\n"
+ "-----END CERTIFICATE-----\n");
verifier.verify("foo.co.jp", cert);
verifier.verify("\u82b1\u5b50.co.jp", cert);
verifier.verify("foo.co.jp", cert, -1);
verifier.verify("\u82b1\u5b50.co.jp", cert, -1);
}

@Test public void subjectAltUsesLocalDomainAndIp() throws Exception {
Expand Down Expand Up @@ -301,12 +301,12 @@ private void verifyExceptionEqual(String host, X509Certificate cert, String exce
assertEquals(new X500Principal("CN=*.mariadb.org, O=\"Acme, Inc.\", L=SZ, ST=GD, C=CN"), cert.getSubjectX500Principal());


verifier.verify("localhost", cert);
verifier.verify("localhost.localdomain", cert);
verifier.verify("localhost", cert, -1);
verifier.verify("localhost.localdomain", cert, -1);
verifyExceptionEqual("local.host", cert, "DNS host \"local.host\" doesn't correspond to certificate "
+ "CN \"*.mariadb.org\" and SAN[{DNS:\"localhost.localdomain\"},{DNS:\"localhost\"},{IP:\"127.0.0.1\"}]");

verifier.verify("127.0.0.1", cert);
verifier.verify("127.0.0.1", cert, -1);
verifyExceptionEqual("127.0.0.2", cert, "IPv4 host \"127.0.0.2\" doesn't correspond to certificate "
+ "CN \"*.mariadb.org\" and SAN[{DNS:\"localhost.localdomain\"},{DNS:\"localhost\"},{IP:\"127.0.0.1\"}]");
}
Expand Down Expand Up @@ -364,13 +364,13 @@ private void verifyExceptionEqual(String host, X509Certificate cert, String exce

verifyExceptionEqual("other.org", cert, "DNS host \"other.org\" doesn't correspond "
+ "to certificate CN \"*.mariadb.org\" and SAN[{DNS:\"*.other.org\"},{DNS:\"a*b.other2.com\"}]");
verifier.verify("www.other.org", cert);
verifier.verify("www.other.org", cert, -1);
verifyExceptionEqual("other2.org", cert, "DNS host \"other2.org\" doesn't correspond "
+ "to certificate CN \"*.mariadb.org\" and SAN[{DNS:\"*.other.org\"},{DNS:\"a*b.other2.com\"}]");
verifyExceptionEqual("www.other2.org", cert, "DNS host \"www.other2.org\" doesn't correspond "
+ "to certificate CN \"*.mariadb.org\" and SAN[{DNS:\"*.other.org\"},{DNS:\"a*b.other2.com\"}]");
verifier.verify("ab.other2.com", cert);
verifier.verify("axxxxb.other2.com", cert);
verifier.verify("ab.other2.com", cert, -1);
verifier.verify("axxxxb.other2.com", cert, -1);
verifyExceptionEqual("axxxxbc.other2.org", cert, "DNS host \"axxxxbc.other2.org\" doesn't "
+ "correspond to certificate CN \"*.mariadb.org\" and SAN[{DNS:\"*.other.org\"},{DNS:\"a*b.other2.com\"}]");
verifyExceptionEqual("caxxxxb.other2.org", cert, "DNS host \"caxxxxb.other2.org\" doesn't "
Expand Down

0 comments on commit cabb917

Please sign in to comment.