[GitHub] dg4prez closed pull request #3018: Use exact matching of requested name to certificate for SNI fields

Mon, 12 Nov 2018 07:15:02 -0800 

dg4prez closed pull request #3018: Use exact matching of requested name to 
certificate for SNI fields
URL: https://github.com/apache/trafficcontrol/pull/3018
 
 
   

This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:

As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):

diff --git 
a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/KeyManager.java
 
b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/KeyManager.java
index 1c2df67b9..2996cb016 100644
--- 
a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/KeyManager.java
+++ 
b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/KeyManager.java
@@ -29,6 +29,7 @@
 import java.security.cert.X509Certificate;
 import java.util.List;
 import java.util.Optional;
+import java.util.stream.Collectors;
 
 // Uses the in memory CertificateRegistry to provide dynamic key and 
certificate management for the router
 // The provided default implementation does not allow for the key store to 
change state
@@ -87,11 +88,19 @@ private String chooseServerAlias(final ExtendedSSLSession 
sslSession) {
                        final String sniString = new 
String(requestedName.getEncoded());
                        stringBuilder.append(sniString);
 
-                       final Optional<String> optionalAlias = 
certificateRegistry.getAliases().stream().filter(sniString::contains).findFirst();
-                       if (optionalAlias.isPresent()) {
-                               log.info("KeyManager: FOUND certificate 
registry aliases matching " + optionalAlias.get());
-                               return optionalAlias.get();
+                       final List<String> partialAliasMatches = 
certificateRegistry.getAliases().stream().filter(sniString::contains).collect(Collectors.toList());
+                       Optional<String> alias = 
partialAliasMatches.stream().filter(sniString::contentEquals).findFirst();
+                       if (alias.isPresent()) {
+                           return alias.get();
                        }
+
+                       // Not an exact match, some of the aliases may have had 
the leading zone removed
+                       final String sniStringTrimmed = 
sniString.substring(sniString.indexOf('.') + 1);
+                       alias = 
partialAliasMatches.stream().filter(sniStringTrimmed::contentEquals).findFirst();
+                       if (alias.isPresent()) {
+                           return alias.get();
+                       }
+
                }
 
                if (stringBuilder.length() > 0) {
@@ -102,6 +111,7 @@ private String chooseServerAlias(final ExtendedSSLSession 
sslSession) {
                return null;
        }
 
+
        @Override
        public X509Certificate[] getCertificateChain(final String alias) {
                final HandshakeData handshakeData = 
certificateRegistry.getHandshakeData(alias);


 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


With regards,
Apache Git Services

Reply via email to