You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Justin Bertram (Jira)" <ji...@apache.org> on 2022/11/10 20:03:00 UTC

[jira] [Assigned] (ARTEMIS-3968) Optionally disable Management UI HTTPS SNI host checking

     [ https://issues.apache.org/jira/browse/ARTEMIS-3968?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Justin Bertram reassigned ARTEMIS-3968:
---------------------------------------

    Assignee: Justin Bertram

> Optionally disable Management UI HTTPS SNI host checking
> --------------------------------------------------------
>
>                 Key: ARTEMIS-3968
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-3968
>             Project: ActiveMQ Artemis
>          Issue Type: Improvement
>          Components: Web Console
>    Affects Versions: 2.24.0
>            Reporter: Aaron Steigerwald
>            Assignee: Justin Bertram
>            Priority: Major
>
> The Management UI, when configured to run in HTTPS mode, returns "HTTP ERROR 400 Invalid SNI" to the client browser if the web server's certificate (defined in the {{bootstrap.xml}} file's web element's {{keyStorePath}} attribute) does not contain the server's DNS name. It also prevents the browser from using "https://localhost...". This makes running the broker in a dev and test environment difficult. A work around is to run it in HTTP mode but this prevents exercising the HTTPS parameters and certificates.
> I think the upgrade from Jetty 9.x to 10.x caused SNI host checking to be enabled by default or at least more strictly enforced.
> I disabled SNI host checking by modifying {{org.apache.activemq.artemis.component.WebServerComponent}} in the following way:
> Current 2.24.0 version:
> {code:java}
> httpConfiguration.addCustomizer(new SecureRequestCustomizer());{code}
> Modified 2.24.0 version to disable SNI host checking:
> {code:java}
> SecureRequestCustomizer secureRequestCustomizer = new SecureRequestCustomizer();
> secureRequestCustomizer.setSniHostCheck(false);
> httpConfiguration.addCustomizer(secureRequestCustomizer);{code}
> Adding another binding attribute to the {{bootstrap.xml}} file's web element, like "disableSniHostCheck", and using it to set "secureRequestCustomizer.setSniHostCheck(false)" would allow a configurable way to disable SNI host checking.
> -----
> The following is provided for reference:
> Server Name Indication (SNI)
> https://stackoverflow.com/questions/69945173/http-error-400-invalid-sni-jetty-https-servlet
> Search for "jetty.ssl.sniHostCheck" in https://www.eclipse.org/jetty/documentation/jetty-10/operations-guide/index.html
> {{artemis.log}} entries:
> {noformat}
> 2022-08-31 21:35:39,512 WARN  [org.eclipse.jetty.server.HttpChannel] handleException /console org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI
> 2022-08-31 21:35:39,560 WARN  [org.eclipse.jetty.server.HttpChannel] handleException /favicon.ico org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI{noformat}
> Browser message when trying to access https://localhost:8163/console with SNI host checking enabled and a certificate with a DNS entry that does not match the server:
> {noformat}
> HTTP ERROR 400 Invalid SNI
> URI:    /console
> STATUS:    400
> MESSAGE:    Invalid SNI
> SERVLET:    -
> CAUSED BY:    org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI
> Caused by:
> org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI
>     at org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:266)
>     at org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:207)
>     at org.eclipse.jetty.server.HttpChannel.lambda$handle$0(HttpChannel.java:501)
>     at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:762)
>     at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:497)
>     at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:282)
>     at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:319)
>     at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
>     at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:558)
>     at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:379)
>     at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:146)
>     at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
>     at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
>     at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:412)
>     at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:381)
>     at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:268)
>     at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.lambda$new$0(AdaptiveExecutionStrategy.java:138)
>     at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:407)
>     at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:894)
>     at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1038)
>     at java.base/java.lang.Thread.run(Thread.java:829){noformat}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)