[
https://issues.apache.org/jira/browse/CXF-8668?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jim Ma updated CXF-8668:
------------------------
Description:
After Jetty is upgraded to 11.x, the SniHostCheck is actually enabled after
this change : [https://github.com/eclipse/jetty.project/pull/6078.]
The request ip address is 127.0.0.1 and there isn't in the allowed adress list,
hence the SSLNettyClientTest fails:
{code:java}
[INFO] Running
org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest
[ERROR] Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 4.38 s
<<< FAILURE! - in
org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest
[ERROR]
org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest.testInvocation
Time elapsed: 0.482 s <<< ERROR!
jakarta.xml.ws.WebServiceException: Could not send Message.
at
org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest.testInvocation(SSLNettyClientTest.java:103)
Caused by: org.apache.cxf.transport.http.HTTPException: HTTP response '400:
Invalid SNI' when communicating with
https://localhost:36101/SoapContext/SoapPort
at
org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest.testInvocation(SSLNettyClientTest.java:103){code}
CXF 3.5.0 includes Jetty 9.4.44 and jetty's SecureRequestCustomizer happens
skip sniHostCheck when the x509 is null and sniRequired is false:
{code:java}
SSLSession sslSession = sslEngine.getSession();
if (_sniHostCheck || _sniRequired)
{
X509 x509 = (X509)sslSession.getValue(SniX509ExtendedKeyManager.SNI_X509);
if (LOG.isDebugEnabled())
LOG.debug("Host {} with SNI {}", request.getServerName(), x509);
if (x509 == null)
{
if (_sniRequired)
throw new BadMessageException(400, "SNI required");
}
else if (_sniHostCheck && !x509.matches(request.getServerName()))
{
throw new BadMessageException(400, "Host does not match SNI");
}
}{code}
This means it doesn't execute sniHostCheck even the default value is true.
was:
After Jetty is upgraded to 11.x, the SniHostCheck is actually enabled after
this change : [https://github.com/eclipse/jetty.project/pull/6078.]
The request ip address is 127.0.0.1 and there isn't in the allowed adress list,
hence the SSLNettyClientTest fails:
{code:java}
[INFO] Running
org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest
[ERROR] Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 4.38 s
<<< FAILURE! - in
org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest
[ERROR]
org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest.testInvocation
Time elapsed: 0.482 s <<< ERROR!
jakarta.xml.ws.WebServiceException: Could not send Message.
at
org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest.testInvocation(SSLNettyClientTest.java:103)
Caused by: org.apache.cxf.transport.http.HTTPException: HTTP response '400:
Invalid SNI' when communicating with
https://localhost:36101/SoapContext/SoapPort
at
org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest.testInvocation(SSLNettyClientTest.java:103){code}
> Set SniHostCheck to false for SSLNettyClientTest
> ------------------------------------------------
>
> Key: CXF-8668
> URL: https://issues.apache.org/jira/browse/CXF-8668
> Project: CXF
> Issue Type: Task
> Components: Transports
> Reporter: Jim Ma
> Priority: Major
>
> After Jetty is upgraded to 11.x, the SniHostCheck is actually enabled after
> this change : [https://github.com/eclipse/jetty.project/pull/6078.]
> The request ip address is 127.0.0.1 and there isn't in the allowed adress
> list, hence the SSLNettyClientTest fails:
> {code:java}
> [INFO] Running
> org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest
> [ERROR] Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 4.38
> s <<< FAILURE! - in
> org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest
> [ERROR]
> org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest.testInvocation
> Time elapsed: 0.482 s <<< ERROR!
> jakarta.xml.ws.WebServiceException: Could not send Message.
> at
> org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest.testInvocation(SSLNettyClientTest.java:103)
> Caused by: org.apache.cxf.transport.http.HTTPException: HTTP response '400:
> Invalid SNI' when communicating with
> https://localhost:36101/SoapContext/SoapPort
> at
> org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest.testInvocation(SSLNettyClientTest.java:103){code}
>
> CXF 3.5.0 includes Jetty 9.4.44 and jetty's SecureRequestCustomizer happens
> skip sniHostCheck when the x509 is null and sniRequired is false:
> {code:java}
> SSLSession sslSession = sslEngine.getSession();
> if (_sniHostCheck || _sniRequired)
> {
> X509 x509 = (X509)sslSession.getValue(SniX509ExtendedKeyManager.SNI_X509);
> if (LOG.isDebugEnabled())
> LOG.debug("Host {} with SNI {}", request.getServerName(), x509);
> if (x509 == null)
> {
> if (_sniRequired)
> throw new BadMessageException(400, "SNI required");
> }
> else if (_sniHostCheck && !x509.matches(request.getServerName()))
> {
> throw new BadMessageException(400, "Host does not match SNI");
> }
> }{code}
> This means it doesn't execute sniHostCheck even the default value is true.
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
