You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficcontrol.apache.org by GitBox <gi...@apache.org> on 2018/09/17 19:09:21 UTC

[GitHub] rawlinp closed pull request #2822: Use exact matching of requested name to certificate for SNI fields

rawlinp closed pull request #2822: Use exact matching of requested name to certificate for SNI fields
URL: https://github.com/apache/trafficcontrol/pull/2822
 
 
   

This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:

As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b5022aebe..667d115ae 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,6 +16,9 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 - Tenancy is now the default behavior in Traffic Ops.  All database entries that reference a tenant now have a default of the root tenant.  This eliminates the need for the `use_tenancy` global parameter and will allow for code to be simplified as a result. If all user and delivery services reference the root tenant, then there will be no difference from having `use_tenancy` set to 0.
 - Traffic Monitor Client Update: Traffic Monitor is updated to use the Traffic Ops v13 client.
 
+### Changed
+- Issue 2821: Fixed "Traffic Router may choose wrong certificate when SNI names overlap"
+
 ## [2.2.0] - 2018-06-07
 ### Added
 - Per-DeliveryService Routing Names: you can now choose a Delivery Service's Routing Name (rather than a hardcoded "tr" or "edge" name). This might require a few pre-upgrade steps detailed [here](http://traffic-control-cdn.readthedocs.io/en/latest/admin/traffic_ops/migration_from_20_to_22.html#per-deliveryservice-routing-names)
diff --git a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/KeyManager.java b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/KeyManager.java
index 1c2df67b9..2996cb016 100644
--- a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/KeyManager.java
+++ b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/KeyManager.java
@@ -29,6 +29,7 @@
 import java.security.cert.X509Certificate;
 import java.util.List;
 import java.util.Optional;
+import java.util.stream.Collectors;
 
 // Uses the in memory CertificateRegistry to provide dynamic key and certificate management for the router
 // The provided default implementation does not allow for the key store to change state
@@ -87,11 +88,19 @@ private String chooseServerAlias(final ExtendedSSLSession sslSession) {
 			final String sniString = new String(requestedName.getEncoded());
 			stringBuilder.append(sniString);
 
-			final Optional<String> optionalAlias = certificateRegistry.getAliases().stream().filter(sniString::contains).findFirst();
-			if (optionalAlias.isPresent()) {
-				log.info("KeyManager: FOUND certificate registry aliases matching " + optionalAlias.get());
-				return optionalAlias.get();
+			final List<String> partialAliasMatches = certificateRegistry.getAliases().stream().filter(sniString::contains).collect(Collectors.toList());
+			Optional<String> alias = partialAliasMatches.stream().filter(sniString::contentEquals).findFirst();
+			if (alias.isPresent()) {
+			    return alias.get();
 			}
+
+			// Not an exact match, some of the aliases may have had the leading zone removed
+			final String sniStringTrimmed = sniString.substring(sniString.indexOf('.') + 1);
+			alias = partialAliasMatches.stream().filter(sniStringTrimmed::contentEquals).findFirst();
+			if (alias.isPresent()) {
+			    return alias.get();
+			}
+
 		}
 
 		if (stringBuilder.length() > 0) {
@@ -102,6 +111,7 @@ private String chooseServerAlias(final ExtendedSSLSession sslSession) {
 		return null;
 	}
 
+
 	@Override
 	public X509Certificate[] getCertificateChain(final String alias) {
 		final HandshakeData handshakeData = certificateRegistry.getHandshakeData(alias);


 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services