You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Justin Bertram (Jira)" <ji...@apache.org> on 2022/09/02 13:08:00 UTC
[jira] [Updated] (ARTEMIS-3968) Optionally disable Management UI HTTPS SNI host checking
[ https://issues.apache.org/jira/browse/ARTEMIS-3968?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Justin Bertram updated ARTEMIS-3968:
------------------------------------
Description:
The Management UI, when configured to run in HTTPS mode, returns "HTTP ERROR 400 Invalid SNI" to the client browser if the web server's certificate (defined in the {{bootstrap.xml}} file's web element's {{keyStorePath}} attribute) does not contain the server's DNS name. It also prevents the browser from using "https://localhost...". This makes running the broker in a dev and test environment difficult. A work around is to run it in HTTP mode but this prevents exercising the HTTPS parameters and certificates.
I think the upgrade from Jetty 9.x to 10.x caused SNI host checking to be enabled by default or at least more strictly enforced.
I disabled SNI host checking by modifying {{org.apache.activemq.artemis.component.WebServerComponent}} in the following way:
Current 2.24.0 version:
{code:java}
httpConfiguration.addCustomizer(new SecureRequestCustomizer());{code}
Modified 2.24.0 version to disable SNI host checking:
{code:java}
SecureRequestCustomizer secureRequestCustomizer = new SecureRequestCustomizer();
secureRequestCustomizer.setSniHostCheck(false);
httpConfiguration.addCustomizer(secureRequestCustomizer);{code}
Adding another binding attribute to the {{bootstrap.xml}} file's web element, like "disableSniHostCheck", and using it to set "secureRequestCustomizer.setSniHostCheck(false)" would allow a configurable way to disable SNI host checking.
-----
The following is provided for reference:
Server Name Indication (SNI)
https://stackoverflow.com/questions/69945173/http-error-400-invalid-sni-jetty-https-servlet
Search for "jetty.ssl.sniHostCheck" in https://www.eclipse.org/jetty/documentation/jetty-10/operations-guide/index.html
{{artemis.log}} entries:
{noformat}
2022-08-31 21:35:39,512 WARN [org.eclipse.jetty.server.HttpChannel] handleException /console org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI
2022-08-31 21:35:39,560 WARN [org.eclipse.jetty.server.HttpChannel] handleException /favicon.ico org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI{noformat}
Browser message when trying to access https://localhost:8163/console with SNI host checking enabled and a certificate with a DNS entry that does not match the server:
{noformat}
HTTP ERROR 400 Invalid SNI
URI: /console
STATUS: 400
MESSAGE: Invalid SNI
SERVLET: -
CAUSED BY: org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI
Caused by:
org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI
at org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:266)
at org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:207)
at org.eclipse.jetty.server.HttpChannel.lambda$handle$0(HttpChannel.java:501)
at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:762)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:497)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:282)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:319)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:558)
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:379)
at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:146)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:412)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:381)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:268)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.lambda$new$0(AdaptiveExecutionStrategy.java:138)
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:407)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:894)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1038)
at java.base/java.lang.Thread.run(Thread.java:829){noformat}
was:
The Management UI, when configured to run in HTTPS mode, returns "HTTP ERROR 400 Invalid SNI" to the client browser if the web server's certificate (defined in the bootstrap.xml file's web element's keyStorePath attribute) does not contain the server's DNS name. It also prevents the browser from using "https://localhost...". This makes running the broker in a dev and test environment difficult. A work around is to run it in HTTP mode but this prevents exercising the HTTPS parameters and certificates.
I think the upgrade from Jetty 9.x to 10.x caused SNI host checking to be enabled by default or at least more strictly enforced.
I disabled SNI host checking by modifying org.apache.activemq.artemis.component.WebServerComponent in the following way:
Current 2.24.0 version:
httpConfiguration.addCustomizer(new SecureRequestCustomizer());
Modified 2.24.0 version to disable SNI host checking:
SecureRequestCustomizer secureRequestCustomizer = new SecureRequestCustomizer();
secureRequestCustomizer.setSniHostCheck(false);
httpConfiguration.addCustomizer(secureRequestCustomizer);
Adding another binding attribute to the bootstrap.xml file's web element, like "disableSniHostCheck", and using it to set "secureRequestCustomizer.setSniHostCheck(false)" would allow a configurable way to disable SNI host checking.
-----
The following is provided for reference:
Server Name Indication (SNI)
https://stackoverflow.com/questions/69945173/http-error-400-invalid-sni-jetty-https-servlet
Search for "jetty.ssl.sniHostCheck" in https://www.eclipse.org/jetty/documentation/jetty-10/operations-guide/index.html
artemis.log entries:
2022-08-31 21:35:39,512 WARN [org.eclipse.jetty.server.HttpChannel] handleException /console org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI
2022-08-31 21:35:39,560 WARN [org.eclipse.jetty.server.HttpChannel] handleException /favicon.ico org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI
Browser message when trying to access https://localhost:8163/console with SNI host checking enabled and a certificate with a DNS entry that does not match the server:
HTTP ERROR 400 Invalid SNI
URI: /console
STATUS: 400
MESSAGE: Invalid SNI
SERVLET: -
CAUSED BY: org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI
Caused by:
org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI
at org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:266)
at org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:207)
at org.eclipse.jetty.server.HttpChannel.lambda$handle$0(HttpChannel.java:501)
at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:762)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:497)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:282)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:319)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:558)
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:379)
at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:146)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:412)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:381)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:268)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.lambda$new$0(AdaptiveExecutionStrategy.java:138)
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:407)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:894)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1038)
at java.base/java.lang.Thread.run(Thread.java:829)
> Optionally disable Management UI HTTPS SNI host checking
> --------------------------------------------------------
>
> Key: ARTEMIS-3968
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3968
> Project: ActiveMQ Artemis
> Issue Type: Improvement
> Components: Web Console
> Affects Versions: 2.24.0
> Reporter: Aaron Steigerwald
> Priority: Major
>
> The Management UI, when configured to run in HTTPS mode, returns "HTTP ERROR 400 Invalid SNI" to the client browser if the web server's certificate (defined in the {{bootstrap.xml}} file's web element's {{keyStorePath}} attribute) does not contain the server's DNS name. It also prevents the browser from using "https://localhost...". This makes running the broker in a dev and test environment difficult. A work around is to run it in HTTP mode but this prevents exercising the HTTPS parameters and certificates.
> I think the upgrade from Jetty 9.x to 10.x caused SNI host checking to be enabled by default or at least more strictly enforced.
> I disabled SNI host checking by modifying {{org.apache.activemq.artemis.component.WebServerComponent}} in the following way:
> Current 2.24.0 version:
> {code:java}
> httpConfiguration.addCustomizer(new SecureRequestCustomizer());{code}
> Modified 2.24.0 version to disable SNI host checking:
> {code:java}
> SecureRequestCustomizer secureRequestCustomizer = new SecureRequestCustomizer();
> secureRequestCustomizer.setSniHostCheck(false);
> httpConfiguration.addCustomizer(secureRequestCustomizer);{code}
> Adding another binding attribute to the {{bootstrap.xml}} file's web element, like "disableSniHostCheck", and using it to set "secureRequestCustomizer.setSniHostCheck(false)" would allow a configurable way to disable SNI host checking.
> -----
> The following is provided for reference:
> Server Name Indication (SNI)
> https://stackoverflow.com/questions/69945173/http-error-400-invalid-sni-jetty-https-servlet
> Search for "jetty.ssl.sniHostCheck" in https://www.eclipse.org/jetty/documentation/jetty-10/operations-guide/index.html
> {{artemis.log}} entries:
> {noformat}
> 2022-08-31 21:35:39,512 WARN [org.eclipse.jetty.server.HttpChannel] handleException /console org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI
> 2022-08-31 21:35:39,560 WARN [org.eclipse.jetty.server.HttpChannel] handleException /favicon.ico org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI{noformat}
> Browser message when trying to access https://localhost:8163/console with SNI host checking enabled and a certificate with a DNS entry that does not match the server:
> {noformat}
> HTTP ERROR 400 Invalid SNI
> URI: /console
> STATUS: 400
> MESSAGE: Invalid SNI
> SERVLET: -
> CAUSED BY: org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI
> Caused by:
> org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI
> at org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:266)
> at org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:207)
> at org.eclipse.jetty.server.HttpChannel.lambda$handle$0(HttpChannel.java:501)
> at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:762)
> at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:497)
> at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:282)
> at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:319)
> at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
> at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:558)
> at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:379)
> at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:146)
> at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
> at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
> at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:412)
> at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:381)
> at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:268)
> at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.lambda$new$0(AdaptiveExecutionStrategy.java:138)
> at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:407)
> at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:894)
> at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1038)
> at java.base/java.lang.Thread.run(Thread.java:829){noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)