This is an automated email from the ASF dual-hosted git repository.
ema pushed a commit to branch 3.5.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git
The following commit(s) were added to refs/heads/3.5.x-fixes by this push:
new e449563794 [CXF-8668]:Set SniHostCheck to false for SSLNettyClientTest
(#916)
e449563794 is described below
commit e449563794873db92009554ff220090b66907051
Author: jimma <[email protected]>
AuthorDate: Thu Apr 7 09:29:02 2022 +0800
[CXF-8668]:Set SniHostCheck to false for SSLNettyClientTest (#916)
---
.../apache/cxf/configuration/jsse/TLSServerParameters.java | 14 ++++++++++++++
.../cxf/configuration/jsse/TLSServerParametersConfig.java | 3 +++
core/src/main/resources/schemas/configuration/security.xsd | 7 +++++++
.../cxf/transport/http_jetty/JettyHTTPServerEngine.java | 3 ++-
.../http/netty/client/integration/ServerConfig.xml | 2 +-
5 files changed, 27 insertions(+), 2 deletions(-)
diff --git
a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParameters.java
b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParameters.java
index 9ba48d7e22..549459280f 100644
---
a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParameters.java
+++
b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParameters.java
@@ -33,6 +33,7 @@ public class TLSServerParameters extends TLSParameterBase {
ClientAuthentication clientAuthentication;
List<String> excludeProtocols = new ArrayList<>();
List<String> includeProtocols = new ArrayList<>();
+ boolean sniHostCheck;
/**
* This parameter configures the server side to request and/or
@@ -83,4 +84,17 @@ public class TLSServerParameters extends TLSParameterBase {
return includeProtocols;
}
+ /**
+ * Returns if the SNI host name must match
+ */
+ public boolean isSniHostCheck() {
+ return sniHostCheck;
+ }
+
+ /**
+ * @param sniHostCheck if the SNI host name must match
+ */
+ public void setSniHostCheck(boolean sniHostCheck) {
+ this.sniHostCheck = sniHostCheck;
+ }
}
diff --git
a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java
b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java
index 29f9d82dca..e63623b2ca 100644
---
a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java
+++
b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java
@@ -92,6 +92,9 @@ public class TLSServerParametersConfig
if (params.isSetCertAlias()) {
this.setCertAlias(params.getCertAlias());
}
+ if (params.isSetSniHostCheck()) {
+ this.setSniHostCheck(params.isSniHostCheck());
+ }
if (iparams != null && iparams.isSetKeyManagersRef()) {
this.setKeyManagers(iparams.getKeyManagersRef());
}
diff --git a/core/src/main/resources/schemas/configuration/security.xsd
b/core/src/main/resources/schemas/configuration/security.xsd
index 5f5c5379f6..9e224a8011 100644
--- a/core/src/main/resources/schemas/configuration/security.xsd
+++ b/core/src/main/resources/schemas/configuration/security.xsd
@@ -657,5 +657,12 @@
</xs:documentation>
</xs:annotation>
</xs:attribute>
+ <xs:attribute name="sniHostCheck" type="pt:ParameterizedBoolean"
default="true">
+ <xs:annotation>
+ <xs:documentation>
+ If the SNI host name must match.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:attribute>
</xs:complexType>
</xs:schema>
diff --git
a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
index ffc8819526..35a3f2b91f 100644
---
a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
+++
b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
@@ -68,6 +68,7 @@ import org.eclipse.jetty.server.HttpConfiguration;
import org.eclipse.jetty.server.HttpConnectionFactory;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.Response;
+import org.eclipse.jetty.server.SecureRequestCustomizer;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ServerConnector;
import org.eclipse.jetty.server.SslConnectionFactory;
@@ -679,7 +680,7 @@ public class JettyHTTPServerEngine implements ServerEngine,
HttpServerEngineSupp
result = new org.eclipse.jetty.server.ServerConnector(server);
if (tlsServerParameters != null) {
- httpConfig.addCustomizer(new
org.eclipse.jetty.server.SecureRequestCustomizer());
+ httpConfig.addCustomizer(new
SecureRequestCustomizer(tlsServerParameters.isSniHostCheck()));
if (!isHttp2Enabled(bus)) {
final SslConnectionFactory scf = new
SslConnectionFactory(sslcf, httpFactory.getProtocol());
diff --git
a/rt/transports/http-netty/netty-client/src/test/resources/org/apache/cxf/transport/http/netty/client/integration/ServerConfig.xml
b/rt/transports/http-netty/netty-client/src/test/resources/org/apache/cxf/transport/http/netty/client/integration/ServerConfig.xml
index 77c138bfb3..5be3543e7b 100644
---
a/rt/transports/http-netty/netty-client/src/test/resources/org/apache/cxf/transport/http/netty/client/integration/ServerConfig.xml
+++
b/rt/transports/http-netty/netty-client/src/test/resources/org/apache/cxf/transport/http/netty/client/integration/ServerConfig.xml
@@ -31,7 +31,7 @@
<bean
class="org.springframework.context.support.PropertySourcesPlaceholderConfigurer"/>
<httpj:engine-factory>
<httpj:engine port="${SSLNettyClientTest.port}">
- <httpj:tlsServerParameters>
+ <httpj:tlsServerParameters sniHostCheck="false">
<sec:keyManagers keyPassword="skpass">
<sec:keyStore type="jks" password="sspass"
resource="keys/servicestore.jks"/>
</sec:keyManagers>
