You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Jim Ma (Jira)" <ji...@apache.org> on 2022/03/02 04:29:00 UTC
[jira] [Updated] (CXF-8668) Set SniHostCheck to false for SSLNettyClientTest
[ https://issues.apache.org/jira/browse/CXF-8668?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jim Ma updated CXF-8668:
------------------------
Description:
After Jetty is upgraded to 11.x, the SniHostCheck is actually enabled after this change : [https://github.com/eclipse/jetty.project/pull/6078.]
The request ip address is 127.0.0.1 and there isn't in the allowed adress list, hence the SSLNettyClientTest fails:
{code:java}
[INFO] Running org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest
[ERROR] Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 4.38 s <<< FAILURE! - in org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest
[ERROR] org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest.testInvocation Time elapsed: 0.482 s <<< ERROR!
jakarta.xml.ws.WebServiceException: Could not send Message.
at org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest.testInvocation(SSLNettyClientTest.java:103)
Caused by: org.apache.cxf.transport.http.HTTPException: HTTP response '400: Invalid SNI' when communicating with https://localhost:36101/SoapContext/SoapPort
at org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest.testInvocation(SSLNettyClientTest.java:103){code}
CXF 3.5.0 includes Jetty 9.4.44 and jetty's SecureRequestCustomizer happens skip sniHostCheck when the x509 is null and sniRequired is false:
{code:java}
SSLSession sslSession = sslEngine.getSession();
if (_sniHostCheck || _sniRequired)
{
X509 x509 = (X509)sslSession.getValue(SniX509ExtendedKeyManager.SNI_X509);
if (LOG.isDebugEnabled())
LOG.debug("Host {} with SNI {}", request.getServerName(), x509);
if (x509 == null)
{
if (_sniRequired)
throw new BadMessageException(400, "SNI required");
}
else if (_sniHostCheck && !x509.matches(request.getServerName()))
{
throw new BadMessageException(400, "Host does not match SNI");
}
}{code}
This means it doesn't execute sniHostCheck even the default value is true.
was:
After Jetty is upgraded to 11.x, the SniHostCheck is actually enabled after this change : [https://github.com/eclipse/jetty.project/pull/6078.]
The request ip address is 127.0.0.1 and there isn't in the allowed adress list, hence the SSLNettyClientTest fails:
{code:java}
[INFO] Running org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest
[ERROR] Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 4.38 s <<< FAILURE! - in org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest
[ERROR] org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest.testInvocation Time elapsed: 0.482 s <<< ERROR!
jakarta.xml.ws.WebServiceException: Could not send Message.
at org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest.testInvocation(SSLNettyClientTest.java:103)
Caused by: org.apache.cxf.transport.http.HTTPException: HTTP response '400: Invalid SNI' when communicating with https://localhost:36101/SoapContext/SoapPort
at org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest.testInvocation(SSLNettyClientTest.java:103){code}
> Set SniHostCheck to false for SSLNettyClientTest
> ------------------------------------------------
>
> Key: CXF-8668
> URL: https://issues.apache.org/jira/browse/CXF-8668
> Project: CXF
> Issue Type: Task
> Components: Transports
> Reporter: Jim Ma
> Priority: Major
>
> After Jetty is upgraded to 11.x, the SniHostCheck is actually enabled after this change : [https://github.com/eclipse/jetty.project/pull/6078.]
> The request ip address is 127.0.0.1 and there isn't in the allowed adress list, hence the SSLNettyClientTest fails:
> {code:java}
> [INFO] Running org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest
> [ERROR] Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 4.38 s <<< FAILURE! - in org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest
> [ERROR] org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest.testInvocation Time elapsed: 0.482 s <<< ERROR!
> jakarta.xml.ws.WebServiceException: Could not send Message.
> at org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest.testInvocation(SSLNettyClientTest.java:103)
> Caused by: org.apache.cxf.transport.http.HTTPException: HTTP response '400: Invalid SNI' when communicating with https://localhost:36101/SoapContext/SoapPort
> at org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest.testInvocation(SSLNettyClientTest.java:103){code}
>
> CXF 3.5.0 includes Jetty 9.4.44 and jetty's SecureRequestCustomizer happens skip sniHostCheck when the x509 is null and sniRequired is false:
> {code:java}
> SSLSession sslSession = sslEngine.getSession();
> if (_sniHostCheck || _sniRequired)
> {
> X509 x509 = (X509)sslSession.getValue(SniX509ExtendedKeyManager.SNI_X509);
> if (LOG.isDebugEnabled())
> LOG.debug("Host {} with SNI {}", request.getServerName(), x509);
> if (x509 == null)
> {
> if (_sniRequired)
> throw new BadMessageException(400, "SNI required");
> }
> else if (_sniHostCheck && !x509.matches(request.getServerName()))
> {
> throw new BadMessageException(400, "Host does not match SNI");
> }
> }{code}
> This means it doesn't execute sniHostCheck even the default value is true.
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)