You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2021/01/28 11:12:18 UTC
[tomcat] branch 8.5.x updated (8ae8626 -> bbed3ec)
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git.
from 8ae8626 Fix typo
new f3faa70 Ensure the hostName field of SSLHostConfig is always lower case.
new 1b08a3d Ensure the extracted SNI host name is always lower case
new 14edcf8 Ensure the name of the default SSLHostConfig is always lower case
new 4a51d63 Ensure SSLHostConfig lookups for SNI from OpenSSL are case insensitive
new bbed3ec Make the calls to remove/reload the SSLHostConfig case insensitive
The 5 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../apache/catalina/manager/ManagerServlet.java | 2 ++
java/org/apache/tomcat/jni/SSLContext.java | 8 +++--
.../apache/tomcat/util/net/AbstractEndpoint.java | 37 ++++++++++++++++++----
java/org/apache/tomcat/util/net/SSLHostConfig.java | 10 +++++-
.../tomcat/util/net/TLSClientHelloExtractor.java | 7 +++-
webapps/docs/changelog.xml | 10 ++++++
webapps/docs/config/http.xml | 6 ++--
7 files changed, 68 insertions(+), 12 deletions(-)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 03/05: Ensure the name of the default SSLHostConfig is
always lower case
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 14edcf8621a22d883caa77ecf089aa29ba506b08
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Jan 28 09:58:43 2021 +0000
Ensure the name of the default SSLHostConfig is always lower case
This is the third part of the fix to make mapping of SNI values to SSL
virtual hosts case insensitive.
---
java/org/apache/tomcat/util/net/AbstractEndpoint.java | 7 ++++++-
java/org/apache/tomcat/util/net/SSLHostConfig.java | 3 +++
webapps/docs/config/http.xml | 3 ++-
3 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/AbstractEndpoint.java b/java/org/apache/tomcat/util/net/AbstractEndpoint.java
index 2b47dee..89a134e 100644
--- a/java/org/apache/tomcat/util/net/AbstractEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AbstractEndpoint.java
@@ -26,6 +26,7 @@ import java.util.ArrayList;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.List;
+import java.util.Locale;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
@@ -204,11 +205,15 @@ public abstract class AbstractEndpoint<S> {
// ----------------------------------------------------------------- Properties
private String defaultSSLHostConfigName = SSLHostConfig.DEFAULT_SSL_HOST_NAME;
+ /**
+ * @return The host name for the default SSL configuration for this endpoint
+ * - always in lower case.
+ */
public String getDefaultSSLHostConfigName() {
return defaultSSLHostConfigName;
}
public void setDefaultSSLHostConfigName(String defaultSSLHostConfigName) {
- this.defaultSSLHostConfigName = defaultSSLHostConfigName;
+ this.defaultSSLHostConfigName = defaultSSLHostConfigName.toLowerCase(Locale.ENGLISH);
}
diff --git a/java/org/apache/tomcat/util/net/SSLHostConfig.java b/java/org/apache/tomcat/util/net/SSLHostConfig.java
index 4e72bb3..56d7b6a 100644
--- a/java/org/apache/tomcat/util/net/SSLHostConfig.java
+++ b/java/org/apache/tomcat/util/net/SSLHostConfig.java
@@ -52,6 +52,9 @@ public class SSLHostConfig implements Serializable {
private static final String DEFAULT_CIPHERS = "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA";
+ // Must be lower case. SSL host names are always stored using lower case as
+ // they are case insensitive but are used by case sensitive code such as
+ // keys in Maps.
protected static final String DEFAULT_SSL_HOST_NAME = "_default_";
protected static final Set<String> SSL_PROTO_ALL_SET = new HashSet<>();
diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index 26439b5..5239a36 100644
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -106,7 +106,8 @@
connections) if the client connection does not provide SNI or if the SNI
is provided but does not match any configured
<strong>SSLHostConfig</strong>. If not specified the default value of
- <code>_default_</code> will be used.</p>
+ <code>_default_</code> will be used. Provided values are always converted
+ to lower case.</p>
</attribute>
<attribute name="discardFacades" required="false">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 02/05: Ensure the extracted SNI host name is always lower
case
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 1b08a3db6294575ddbf16df8dd5ba296f4656449
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Jan 28 09:50:22 2021 +0000
Ensure the extracted SNI host name is always lower case
This is the second part of the fix to make mapping of SNI values to SSL
virtual hosts case insensitive.
---
java/org/apache/tomcat/util/net/TLSClientHelloExtractor.java | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/tomcat/util/net/TLSClientHelloExtractor.java b/java/org/apache/tomcat/util/net/TLSClientHelloExtractor.java
index 54ea3f0..28d3358 100644
--- a/java/org/apache/tomcat/util/net/TLSClientHelloExtractor.java
+++ b/java/org/apache/tomcat/util/net/TLSClientHelloExtractor.java
@@ -22,6 +22,7 @@ import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.List;
+import java.util.Locale;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
@@ -196,6 +197,10 @@ public class TLSClientHelloExtractor {
}
+ /**
+ * @return The SNI value provided by the client converted to lower case if
+ * not already lower case.
+ */
public String getSNIValue() {
if (result == ExtractorResult.COMPLETE) {
return sniValue;
@@ -399,7 +404,7 @@ public class TLSClientHelloExtractor {
char serverNameSize = bb.getChar();
byte[] serverNameBytes = new byte[serverNameSize];
bb.get(serverNameBytes);
- return new String(serverNameBytes, StandardCharsets.UTF_8);
+ return new String(serverNameBytes, StandardCharsets.UTF_8).toLowerCase(Locale.ENGLISH);
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 04/05: Ensure SSLHostConfig lookups for SNI from OpenSSL
are case insensitive
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 4a51d6362fe1ca168e9b886be4eda5e3efffa68b
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Jan 28 10:16:00 2021 +0000
Ensure SSLHostConfig lookups for SNI from OpenSSL are case insensitive
This is the fourth part of the fix to make mapping of SNI values to SSL
virtual hosts case insensitive.
---
java/org/apache/tomcat/jni/SSLContext.java | 8 ++++++--
java/org/apache/tomcat/util/net/AbstractEndpoint.java | 13 ++++++++++++-
2 files changed, 18 insertions(+), 3 deletions(-)
diff --git a/java/org/apache/tomcat/jni/SSLContext.java b/java/org/apache/tomcat/jni/SSLContext.java
index e0759b3..8c2f9b9 100644
--- a/java/org/apache/tomcat/jni/SSLContext.java
+++ b/java/org/apache/tomcat/jni/SSLContext.java
@@ -17,6 +17,7 @@
package org.apache.tomcat.jni;
+import java.util.Locale;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
@@ -416,7 +417,9 @@ public final class SSLContext {
if (sniCallBack == null) {
return 0;
}
- return sniCallBack.getSslContext(sniHostName);
+ // Can't be sure OpenSSL is going to provide the SNI value in lower case
+ // so convert it before looking up the SSLContext
+ return sniCallBack.getSslContext(sniHostName.toLowerCase(Locale.ENGLISH));
}
/**
@@ -470,7 +473,8 @@ public final class SSLContext {
* This callback is made during the TLS handshake when the client uses
* the SNI extension to request a specific TLS host.
*
- * @param sniHostName The host name requested by the client
+ * @param sniHostName The host name requested by the client - must be in
+ * lower case
*
* @return The Java representation of the pointer to the OpenSSL
* SSLContext to use for the given host or zero if no SSLContext
diff --git a/java/org/apache/tomcat/util/net/AbstractEndpoint.java b/java/org/apache/tomcat/util/net/AbstractEndpoint.java
index 89a134e..7f414b5 100644
--- a/java/org/apache/tomcat/util/net/AbstractEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AbstractEndpoint.java
@@ -367,7 +367,18 @@ public abstract class AbstractEndpoint<S> {
}
-
+ /**
+ * Look up the SSLHostConfig for the given host name. Lookup order is:
+ * <ol>
+ * <li>exact match</li>
+ * <li>wild card match</li>
+ * <li>default SSLHostConfig</li>
+ * </ol>
+ *
+ * @param sniHostName Host name - must be in lower case
+ *
+ * @return The SSLHostConfig for the given host name.
+ */
protected SSLHostConfig getSSLHostConfig(String sniHostName) {
SSLHostConfig result = null;
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 05/05: Make the calls to remove/reload the SSLHostConfig
case insensitive
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit bbed3ec1e901ed0edcc6bf075d756cde764263a3
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Jan 28 10:34:07 2021 +0000
Make the calls to remove/reload the SSLHostConfig case insensitive
The is the fifth and final part of the fix to make mapping of SNI values
to SSL virtual hosts case insensitive.
While not strictly related to SNI processing, a review of all of the
uses of sslHostConfigs identified these additional locations where the
host name may be provided in mixed case.
---
java/org/apache/tomcat/util/net/AbstractEndpoint.java | 17 +++++++++++++----
webapps/docs/changelog.xml | 10 ++++++++++
2 files changed, 23 insertions(+), 4 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/AbstractEndpoint.java b/java/org/apache/tomcat/util/net/AbstractEndpoint.java
index 7f414b5..b950909 100644
--- a/java/org/apache/tomcat/util/net/AbstractEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AbstractEndpoint.java
@@ -290,12 +290,15 @@ public abstract class AbstractEndpoint<S> {
if (hostName == null) {
return null;
}
- // Host names are case insensitive
- if (hostName.equalsIgnoreCase(getDefaultSSLHostConfigName())) {
+ // Host names are case insensitive but stored/processed in lower case
+ // internally because they are used as keys in a ConcurrentMap where
+ // keys are compared in a case sensitive manner.
+ String hostNameLower = hostName.toLowerCase(Locale.ENGLISH);
+ if (hostNameLower.equals(getDefaultSSLHostConfigName())) {
throw new IllegalArgumentException(
sm.getString("endpoint.removeDefaultSslHostConfig", hostName));
}
- SSLHostConfig sslHostConfig = sslHostConfigs.remove(hostName);
+ SSLHostConfig sslHostConfig = sslHostConfigs.remove(hostNameLower);
unregisterJmx(sslHostConfig);
return sslHostConfig;
}
@@ -308,7 +311,13 @@ public abstract class AbstractEndpoint<S> {
* reloaded. This must match a current SSL host
*/
public void reloadSslHostConfig(String hostName) {
- SSLHostConfig sslHostConfig = sslHostConfigs.get(hostName);
+ // Host names are case insensitive but stored/processed in lower case
+ // internally because they are used as keys in a ConcurrentMap where
+ // keys are compared in a case sensitive manner.
+ // This method can be called via various paths so convert the supplied
+ // host name to lower case here to ensure the conversion occurs whatever
+ // the call path.
+ SSLHostConfig sslHostConfig = sslHostConfigs.get(hostName.toLowerCase(Locale.ENGLISH));
if (sslHostConfig == null) {
throw new IllegalArgumentException(
sm.getString("endpoint.unknownSslHostName", hostName));
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 9be25cb..6e9ee77 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -104,6 +104,16 @@
issues do not "pop up" wrt. others).
-->
<section name="Tomcat 8.5.62 (markt)" rtext="in development">
+ <subsection name="Coyote">
+ <changelog>
+ <fix>
+ Ensure that SNI provided host names are matched to SSL virtual host
+ configurations in a case insensitive manner. (markt)
+ </fix>
+ </changelog>
+ </subsection>
+</section>
+<section name="Tomcat 9.0.42 (markt)" rtext="release in progress">
<subsection name="Catalina">
<changelog>
<fix>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 01/05: Ensure the hostName field of SSLHostConfig is
always lower case.
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit f3faa70cf0098fcabda6e2ce1074c128b9b7f491
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Jan 28 09:29:01 2021 +0000
Ensure the hostName field of SSLHostConfig is always lower case.
This is the first part of the fix to make mapping of SNI values to SSL
virtual hosts case insensitive.
DNS names are case insensitive and while some browsers appear to always
convert provided host names to lower case, I have found no requirement
for this in the RFCs.
The overall plan is to always store and process host names in lower
case. This is because they are used as keys in a ConcurrentMap and keys
are compared in a case sensitive manner.
Using CaseInsensitiveKeyMap was rejected as a solution as that as it is
not thread safe.
---
java/org/apache/catalina/manager/ManagerServlet.java | 2 ++
java/org/apache/tomcat/util/net/SSLHostConfig.java | 7 ++++++-
webapps/docs/config/http.xml | 3 ++-
3 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/catalina/manager/ManagerServlet.java b/java/org/apache/catalina/manager/ManagerServlet.java
index ee4247d..d5b3723 100644
--- a/java/org/apache/catalina/manager/ManagerServlet.java
+++ b/java/org/apache/catalina/manager/ManagerServlet.java
@@ -572,6 +572,8 @@ public class ManagerServlet extends HttpServlet implements ContainerServlet {
} else {
SSLHostConfig[] sslHostConfigs = http11Protoocol.findSslHostConfigs();
for (SSLHostConfig sslHostConfig : sslHostConfigs) {
+ // tlsHostName is as provided by the user so use a case insensitive
+ // comparison as host names are case insensitive.
if (sslHostConfig.getHostName().equalsIgnoreCase(tlsHostName)) {
found = true;
http11Protoocol.reloadSslHostConfig(tlsHostName);
diff --git a/java/org/apache/tomcat/util/net/SSLHostConfig.java b/java/org/apache/tomcat/util/net/SSLHostConfig.java
index 744ce9b..4e72bb3 100644
--- a/java/org/apache/tomcat/util/net/SSLHostConfig.java
+++ b/java/org/apache/tomcat/util/net/SSLHostConfig.java
@@ -25,6 +25,7 @@ import java.security.UnrecoverableKeyException;
import java.util.HashSet;
import java.util.LinkedHashSet;
import java.util.List;
+import java.util.Locale;
import java.util.Set;
import javax.management.ObjectName;
@@ -436,10 +437,14 @@ public class SSLHostConfig implements Serializable {
public void setHostName(String hostName) {
- this.hostName = hostName;
+ this.hostName = hostName.toLowerCase(Locale.ENGLISH);
}
+ /**
+ * @return The host name associated with this SSL configuration - always in
+ * lower case.
+ */
public String getHostName() {
return hostName;
}
diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index 9d66d5d..26439b5 100644
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -1330,7 +1330,8 @@
<p>The name of the SSL Host. This should either be the fully qualified
domain name (e.g. <code>tomcat.apache.org</code>) or a wild card domain
name (e.g. <code>*.apache.org</code>). If not specified, the default value
- of <code>_default_</code> will be used.</p>
+ of <code>_default_</code> will be used. Provided values are always
+ converted to lower case.</p>
</attribute>
<attribute name="insecureRenegotiation" required="false">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org