[jira] [Created] (ARTEMIS-3968) Optionally disable Management UI HTTPS SNI host checking

Thu, 01 Sep 2022 14:42:06 -0700 

Aaron Steigerwald created ARTEMIS-3968:
------------------------------------------

             Summary: Optionally disable Management UI HTTPS SNI host checking
                 Key: ARTEMIS-3968
                 URL: https://issues.apache.org/jira/browse/ARTEMIS-3968
             Project: ActiveMQ Artemis
          Issue Type: Improvement
          Components: Web Console
    Affects Versions: 2.24.0
            Reporter: Aaron Steigerwald


The Management UI, when configured to run in HTTPS mode, returns "HTTP ERROR 
400 Invalid SNI" to the client browser if the web server's certificate (defined 
in the bootstrap.xml file's web element's keyStorePath attribute) does not 
contain the server's DNS name. It also prevents the browser from using 
"https://localhost...";. This makes running the broker in a dev and test 
environment difficult. A work around is to run it in HTTP mode but this 
prevents exercising the HTTPS parameters and certificates.

I think the upgrade from Jetty 9.x to 10.x caused SNI host checking to be 
enabled by default or at least more strictly enforced.

I disabled SNI host checking by modifying 
org.apache.activemq.artemis.component.WebServerComponent in the following way:

Current 2.24.0 version:
         httpConfiguration.addCustomizer(new SecureRequestCustomizer());

Modified 2.24.0 version to disable SNI host checking:
         SecureRequestCustomizer secureRequestCustomizer = new 
SecureRequestCustomizer();
         secureRequestCustomizer.setSniHostCheck(false);
         httpConfiguration.addCustomizer(secureRequestCustomizer);

Adding another binding attribute to the bootstrap.xml file's web element, like 
"disableSniHostCheck", and using it to set 
"secureRequestCustomizer.setSniHostCheck(false)" would allow a configurable way 
to disable SNI host checking.

-----

The following is provided for reference:

Server Name Indication (SNI)

https://stackoverflow.com/questions/69945173/http-error-400-invalid-sni-jetty-https-servlet

Search for "jetty.ssl.sniHostCheck" in 
https://www.eclipse.org/jetty/documentation/jetty-10/operations-guide/index.html

artemis.log entries:

2022-08-31 21:35:39,512 WARN  [org.eclipse.jetty.server.HttpChannel] 
handleException /console org.eclipse.jetty.http.BadMessageException: 400: 
Invalid SNI
2022-08-31 21:35:39,560 WARN  [org.eclipse.jetty.server.HttpChannel] 
handleException /favicon.ico org.eclipse.jetty.http.BadMessageException: 400: 
Invalid SNI

Browser message when trying to access https://localhost:8163/console with SNI 
host checking enabled and a certificate with a DNS entry that does not match 
the server:

HTTP ERROR 400 Invalid SNI
URI:    /console
STATUS:    400
MESSAGE:    Invalid SNI
SERVLET:    -
CAUSED BY:    org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI
Caused by:
org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI
    at 
org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:266)
    at 
org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:207)
    at 
org.eclipse.jetty.server.HttpChannel.lambda$handle$0(HttpChannel.java:501)
    at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:762)
    at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:497)
    at 
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:282)
    at 
org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:319)
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
    at 
org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:558)
    at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:379)
    at 
org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:146)
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
    at 
org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
    at 
org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:412)
    at 
org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:381)
    at 
org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:268)
    at 
org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.lambda$new$0(AdaptiveExecutionStrategy.java:138)
    at 
org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:407)
    at 
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:894)
    at 
org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1038)
    at java.base/java.lang.Thread.run(Thread.java:829)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to