[
https://issues.apache.org/jira/browse/DISPATCH-2259?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kai Hudalla updated DISPATCH-2259:
----------------------------------
Description:
When the dispatch router is configured with an Auth Server Plugin that should
be accessed via a TLS connection, then the router includes the TLS Server Name
Indication extension ([https://datatracker.ietf.org/doc/html/rfc6066]) in its
TLS ServerHello message but sets the host_name to a value that is not a domain
name as mandated by the RFC. Instead, it sets the host_name to a combination of
the server name and the port configured for the Auth Server Plugin. So, for
Auth Server Plugin configuration
["authServicePlugin",
{ "name": "My Auth Server", "host": "my-auth-server.host}
",
"port": 5671,
"sslProfile": "external"
}]
the host_name set in the server_name extension is
my-auth-server.host:5671
which is not a valid domain name.
The TLS implementation that comes with Java 17 will fail the TLS handshake with
the dispatch router due to an illegal character in the host_name.
I believe that this problem may also arise with other outbound connections that
the router creates.
FMPOV the port suffix simply needs to be removed.
was:
When the dispatch router is configured with an Auth Server Plugin that should
be accessed via a TLS connection, then the router includes the TLS Server Name
Indication extension ([https://datatracker.ietf.org/doc/html/rfc6066]) in its
TLS ServerHello message but sets the host_name to a value that is not a domain
name as mandated by the RFC. Instead, it sets the host_name to a combination of
the server name and the port configured for the Auth Server Plugin. So, for
Auth Server Plugin configuration
["authServicePlugin",
{ "name": "My Auth Server", "host": "my-auth-server.host}",
"port": 5671,
"sslProfile": "external"
}]
the host_name set in the server_name extension is
my-auth-server.host:5671
which is not a valid domain name.
The TLS implementation that comes with Java 17 will fail the TLS handshake with
the dispatch router due to an illegal character in the host_name.
FMPOV the port suffix simply needs to be removed.
> server_name set by Dispatch Router contains illegal characters
> --------------------------------------------------------------
>
> Key: DISPATCH-2259
> URL: https://issues.apache.org/jira/browse/DISPATCH-2259
> Project: Qpid Dispatch
> Issue Type: Bug
> Components: Router Node
> Affects Versions: 1.14.0, 1.15.0, 1.16.0, 1.17.0, 1.16.1
> Reporter: Kai Hudalla
> Priority: Major
>
> When the dispatch router is configured with an Auth Server Plugin that should
> be accessed via a TLS connection, then the router includes the TLS Server
> Name Indication extension ([https://datatracker.ietf.org/doc/html/rfc6066])
> in its TLS ServerHello message but sets the host_name to a value that is not
> a domain name as mandated by the RFC. Instead, it sets the host_name to a
> combination of the server name and the port configured for the Auth Server
> Plugin. So, for Auth Server Plugin configuration
> ["authServicePlugin",
> { "name": "My Auth Server", "host": "my-auth-server.host}
> ",
> "port": 5671,
> "sslProfile": "external"
> }]
> the host_name set in the server_name extension is
> my-auth-server.host:5671
> which is not a valid domain name.
> The TLS implementation that comes with Java 17 will fail the TLS handshake
> with the dispatch router due to an illegal character in the host_name.
> I believe that this problem may also arise with other outbound connections
> that the router creates.
> FMPOV the port suffix simply needs to be removed.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
