[
https://issues.apache.org/jira/browse/ARTEMIS-3968?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Justin Bertram updated ARTEMIS-3968:
------------------------------------
Description:
The Management UI, when configured to run in HTTPS mode, returns "HTTP ERROR
400 Invalid SNI" to the client browser if the web server's certificate (defined
in the {{bootstrap.xml}} file's web element's {{keyStorePath}} attribute) does
not contain the server's DNS name. It also prevents the browser from using
"https://localhost...";. This makes running the broker in a dev and test
environment difficult. A work around is to run it in HTTP mode but this
prevents exercising the HTTPS parameters and certificates.
I think the upgrade from Jetty 9.x to 10.x caused SNI host checking to be
enabled by default or at least more strictly enforced.
I disabled SNI host checking by modifying
{{org.apache.activemq.artemis.component.WebServerComponent}} in the following
way:
Current 2.24.0 version:
{code:java}
httpConfiguration.addCustomizer(new SecureRequestCustomizer());{code}
Modified 2.24.0 version to disable SNI host checking:
{code:java}
SecureRequestCustomizer secureRequestCustomizer = new SecureRequestCustomizer();
secureRequestCustomizer.setSniHostCheck(false);
httpConfiguration.addCustomizer(secureRequestCustomizer);{code}
Adding another binding attribute to the {{bootstrap.xml}} file's web element,
like "disableSniHostCheck", and using it to set
"secureRequestCustomizer.setSniHostCheck(false)" would allow a configurable way
to disable SNI host checking.
-----
The following is provided for reference:
Server Name Indication (SNI)
https://stackoverflow.com/questions/69945173/http-error-400-invalid-sni-jetty-https-servlet
Search for "jetty.ssl.sniHostCheck" in
https://www.eclipse.org/jetty/documentation/jetty-10/operations-guide/index.html
{{artemis.log}} entries:
{noformat}
2022-08-31 21:35:39,512 WARN [org.eclipse.jetty.server.HttpChannel]
handleException /console org.eclipse.jetty.http.BadMessageException: 400:
Invalid SNI
2022-08-31 21:35:39,560 WARN [org.eclipse.jetty.server.HttpChannel]
handleException /favicon.ico org.eclipse.jetty.http.BadMessageException: 400:
Invalid SNI{noformat}
Browser message when trying to access https://localhost:8163/console with SNI
host checking enabled and a certificate with a DNS entry that does not match
the server:
{noformat}
HTTP ERROR 400 Invalid SNI
URI: /console
STATUS: 400
MESSAGE: Invalid SNI
SERVLET: -
CAUSED BY: org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI
Caused by:
org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI
at
org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:266)
at
org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:207)
at
org.eclipse.jetty.server.HttpChannel.lambda$handle$0(HttpChannel.java:501)
at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:762)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:497)
at
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:282)
at
org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:319)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
at
org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:558)
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:379)
at
org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:146)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
at
org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
at
org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:412)
at
org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:381)
at
org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:268)
at
org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.lambda$new$0(AdaptiveExecutionStrategy.java:138)
at
org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:407)
at
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:894)
at
org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1038)
at java.base/java.lang.Thread.run(Thread.java:829){noformat}
was:
The Management UI, when configured to run in HTTPS mode, returns "HTTP ERROR
400 Invalid SNI" to the client browser if the web server's certificate (defined
in the bootstrap.xml file's web element's keyStorePath attribute) does not
contain the server's DNS name. It also prevents the browser from using
"https://localhost...";. This makes running the broker in a dev and test
environment difficult. A work around is to run it in HTTP mode but this
prevents exercising the HTTPS parameters and certificates.
I think the upgrade from Jetty 9.x to 10.x caused SNI host checking to be
enabled by default or at least more strictly enforced.
I disabled SNI host checking by modifying
org.apache.activemq.artemis.component.WebServerComponent in the following way:
Current 2.24.0 version:
httpConfiguration.addCustomizer(new SecureRequestCustomizer());
Modified 2.24.0 version to disable SNI host checking:
SecureRequestCustomizer secureRequestCustomizer = new
SecureRequestCustomizer();
secureRequestCustomizer.setSniHostCheck(false);
httpConfiguration.addCustomizer(secureRequestCustomizer);
Adding another binding attribute to the bootstrap.xml file's web element, like
"disableSniHostCheck", and using it to set
"secureRequestCustomizer.setSniHostCheck(false)" would allow a configurable way
to disable SNI host checking.
-----
The following is provided for reference:
Server Name Indication (SNI)
https://stackoverflow.com/questions/69945173/http-error-400-invalid-sni-jetty-https-servlet
Search for "jetty.ssl.sniHostCheck" in
https://www.eclipse.org/jetty/documentation/jetty-10/operations-guide/index.html
artemis.log entries:
2022-08-31 21:35:39,512 WARN [org.eclipse.jetty.server.HttpChannel]
handleException /console org.eclipse.jetty.http.BadMessageException: 400:
Invalid SNI
2022-08-31 21:35:39,560 WARN [org.eclipse.jetty.server.HttpChannel]
handleException /favicon.ico org.eclipse.jetty.http.BadMessageException: 400:
Invalid SNI
Browser message when trying to access https://localhost:8163/console with SNI
host checking enabled and a certificate with a DNS entry that does not match
the server:
HTTP ERROR 400 Invalid SNI
URI: /console
STATUS: 400
MESSAGE: Invalid SNI
SERVLET: -
CAUSED BY: org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI
Caused by:
org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI
at
org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:266)
at
org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:207)
at
org.eclipse.jetty.server.HttpChannel.lambda$handle$0(HttpChannel.java:501)
at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:762)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:497)
at
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:282)
at
org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:319)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
at
org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:558)
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:379)
at
org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:146)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
at
org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
at
org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:412)
at
org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:381)
at
org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:268)
at
org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.lambda$new$0(AdaptiveExecutionStrategy.java:138)
at
org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:407)
at
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:894)
at
org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1038)
at java.base/java.lang.Thread.run(Thread.java:829)
> Optionally disable Management UI HTTPS SNI host checking
> --------------------------------------------------------
>
> Key: ARTEMIS-3968
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3968
> Project: ActiveMQ Artemis
> Issue Type: Improvement
> Components: Web Console
> Affects Versions: 2.24.0
> Reporter: Aaron Steigerwald
> Priority: Major
>
> The Management UI, when configured to run in HTTPS mode, returns "HTTP ERROR
> 400 Invalid SNI" to the client browser if the web server's certificate
> (defined in the {{bootstrap.xml}} file's web element's {{keyStorePath}}
> attribute) does not contain the server's DNS name. It also prevents the
> browser from using "https://localhost...";. This makes running the broker in a
> dev and test environment difficult. A work around is to run it in HTTP mode
> but this prevents exercising the HTTPS parameters and certificates.
> I think the upgrade from Jetty 9.x to 10.x caused SNI host checking to be
> enabled by default or at least more strictly enforced.
> I disabled SNI host checking by modifying
> {{org.apache.activemq.artemis.component.WebServerComponent}} in the following
> way:
> Current 2.24.0 version:
> {code:java}
> httpConfiguration.addCustomizer(new SecureRequestCustomizer());{code}
> Modified 2.24.0 version to disable SNI host checking:
> {code:java}
> SecureRequestCustomizer secureRequestCustomizer = new
> SecureRequestCustomizer();
> secureRequestCustomizer.setSniHostCheck(false);
> httpConfiguration.addCustomizer(secureRequestCustomizer);{code}
> Adding another binding attribute to the {{bootstrap.xml}} file's web element,
> like "disableSniHostCheck", and using it to set
> "secureRequestCustomizer.setSniHostCheck(false)" would allow a configurable
> way to disable SNI host checking.
> -----
> The following is provided for reference:
> Server Name Indication (SNI)
> https://stackoverflow.com/questions/69945173/http-error-400-invalid-sni-jetty-https-servlet
> Search for "jetty.ssl.sniHostCheck" in
> https://www.eclipse.org/jetty/documentation/jetty-10/operations-guide/index.html
> {{artemis.log}} entries:
> {noformat}
> 2022-08-31 21:35:39,512 WARN [org.eclipse.jetty.server.HttpChannel]
> handleException /console org.eclipse.jetty.http.BadMessageException: 400:
> Invalid SNI
> 2022-08-31 21:35:39,560 WARN [org.eclipse.jetty.server.HttpChannel]
> handleException /favicon.ico org.eclipse.jetty.http.BadMessageException: 400:
> Invalid SNI{noformat}
> Browser message when trying to access https://localhost:8163/console with SNI
> host checking enabled and a certificate with a DNS entry that does not match
> the server:
> {noformat}
> HTTP ERROR 400 Invalid SNI
> URI: /console
> STATUS: 400
> MESSAGE: Invalid SNI
> SERVLET: -
> CAUSED BY: org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI
> Caused by:
> org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI
> at
> org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:266)
> at
> org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:207)
> at
> org.eclipse.jetty.server.HttpChannel.lambda$handle$0(HttpChannel.java:501)
> at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:762)
> at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:497)
> at
> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:282)
> at
> org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:319)
> at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
> at
> org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:558)
> at
> org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:379)
> at
> org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:146)
> at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
> at
> org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
> at
> org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:412)
> at
> org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:381)
> at
> org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:268)
> at
> org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.lambda$new$0(AdaptiveExecutionStrategy.java:138)
> at
> org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:407)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:894)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1038)
> at java.base/java.lang.Thread.run(Thread.java:829){noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
