January 2019 - jboss-jira - Jboss List Archives

[JBoss JIRA] (WFLY-11660) SNI wildcard mappings match multiple level of subdomain

by Jan Stourac (Jira)

[ https://issues.jboss.org/browse/WFLY-11660?page=com.atlassian.jira.plugin... ] Jan Stourac reassigned WFLY-11660: ---------------------------------- Component/s: Security Affects Version/s: 15.0.1.Final 15.0.0.Final Assignee: Darran Lofthouse (was: Stuart Douglas) > SNI wildcard mappings match multiple level of subdomain > ------------------------------------------------------- > > Key: WFLY-11660 > URL: https://issues.jboss.org/browse/WFLY-11660 > Project: WildFly > Issue Type: Bug > Components: Security > Affects Versions: 15.0.0.Final, 15.0.1.Final > Environment: Wildfly build with undertow and wildfly-core modules build from following sources: > * https://github.com/stuartwdouglas/undertow/tree/sni > * https://github.com/stuartwdouglas/wildfly-core/tree/sni > Reporter: Pavel Jelinek > Assignee: Darran Lofthouse > Priority: Major > Labels: SNI > > Based on the [text from analasys|https://github.com/wildfly/wildfly-proposals/blob/master/securit...]: > {quote} > Wildcard names use * as a wildcard, and can only be used to match a single level of subdomain in much the same way as with wildcard certificates. > {quote} > As such, in case I have configured SNI mapping for: > {code} > .*\\.example\\.com > {code} > I expect that this mapping is selected for any single level of subdomain of example.com although, in case of any extra subdomain, this mapping is not utilized. In other words, following hostnames should match: > {code} > test.example.com > another-test.example.com > {code} > although following should not be matched and default server-ssl-context shall be used instead: > {code} > two-sublevel.one-sublevel.example.com > {code} > Current behaviour also matches also 'two-sublevel.one-sublevel.example.com'. -- This message was sent by Atlassian Jira (v7.12.1#712002)

7 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-11660) SNI wildcard mappings match multiple level of subdomain

by Jan Stourac (Jira)

[ https://issues.jboss.org/browse/WFLY-11660?page=com.atlassian.jira.plugin... ] Jan Stourac moved WFWIP-101 to WFLY-11660: ------------------------------------------ Project: WildFly (was: WildFly WIP) Key: WFLY-11660 (was: WFWIP-101) > SNI wildcard mappings match multiple level of subdomain > ------------------------------------------------------- > > Key: WFLY-11660 > URL: https://issues.jboss.org/browse/WFLY-11660 > Project: WildFly > Issue Type: Bug > Environment: Wildfly build with undertow and wildfly-core modules build from following sources: > * https://github.com/stuartwdouglas/undertow/tree/sni > * https://github.com/stuartwdouglas/wildfly-core/tree/sni > Reporter: Pavel Jelinek > Assignee: Stuart Douglas > Priority: Major > Labels: SNI > > Based on the [text from analasys|https://github.com/wildfly/wildfly-proposals/blob/master/securit...]: > {quote} > Wildcard names use * as a wildcard, and can only be used to match a single level of subdomain in much the same way as with wildcard certificates. > {quote} > As such, in case I have configured SNI mapping for: > {code} > .*\\.example\\.com > {code} > I expect that this mapping is selected for any single level of subdomain of example.com although, in case of any extra subdomain, this mapping is not utilized. In other words, following hostnames should match: > {code} > test.example.com > another-test.example.com > {code} > although following should not be matched and default server-ssl-context shall be used instead: > {code} > two-sublevel.one-sublevel.example.com > {code} > Current behaviour also matches also 'two-sublevel.one-sublevel.example.com'. -- This message was sent by Atlassian Jira (v7.12.1#712002)

7 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFWIP-101) SNI wildcard mappings match multiple level of subdomain

by Jan Stourac (Jira)

[ https://issues.jboss.org/browse/WFWIP-101?page=com.atlassian.jira.plugin.... ] Jan Stourac updated WFWIP-101: ------------------------------ Description: Based on the [text from analasys|https://github.com/wildfly/wildfly-proposals/blob/master/securit...]: {quote} Wildcard names use * as a wildcard, and can only be used to match a single level of subdomain in much the same way as with wildcard certificates. {quote} As such, in case I have configured SNI mapping for: {code} .*\\.example\\.com {code} I expect that this mapping is selected for any single level of subdomain of example.com although, in case of any extra subdomain, this mapping is not utilized. In other words, following hostnames should match: {code} test.example.com another-test.example.com {code} although following should not be matched and default server-ssl-context shall be used instead: {code} two-sublevel.one-sublevel.example.com {code} Current behaviour also matches also 'two-sublevel.one-sublevel.example.com'. was: Based on the [text from analasys|https://github.com/wildfly/wildfly-proposals/blob/master/securit...]: {quote} Wildcard names use * as a wildcard, and can only be used to match a single level of subdomain in much the same way as with wildcard certificates. {quote} As such, in case I have configured SNI mapping for '.*\\.example\\.com', I expect that this mapping is selected for any single level of subdomain of example.com although, in case of any extra subdomain, this mapping is not utilized. In other words, following hostnames should match: {code} test.example.com another-test.example.com {code} although following should not be matched and default server-ssl-context shall be used instead: {code} two-sublevel.one-sublevel.example.com {code} Current behaviour also matches also 'two-sublevel.one-sublevel.example.com'. > SNI wildcard mappings match multiple level of subdomain > ------------------------------------------------------- > > Key: WFWIP-101 > URL: https://issues.jboss.org/browse/WFWIP-101 > Project: WildFly WIP > Issue Type: Bug > Environment: Wildfly build with undertow and wildfly-core modules build from following sources: > * https://github.com/stuartwdouglas/undertow/tree/sni > * https://github.com/stuartwdouglas/wildfly-core/tree/sni > Reporter: Pavel Jelinek > Assignee: Stuart Douglas > Priority: Major > Labels: SNI > > Based on the [text from analasys|https://github.com/wildfly/wildfly-proposals/blob/master/securit...]: > {quote} > Wildcard names use * as a wildcard, and can only be used to match a single level of subdomain in much the same way as with wildcard certificates. > {quote} > As such, in case I have configured SNI mapping for: > {code} > .*\\.example\\.com > {code} > I expect that this mapping is selected for any single level of subdomain of example.com although, in case of any extra subdomain, this mapping is not utilized. In other words, following hostnames should match: > {code} > test.example.com > another-test.example.com > {code} > although following should not be matched and default server-ssl-context shall be used instead: > {code} > two-sublevel.one-sublevel.example.com > {code} > Current behaviour also matches also 'two-sublevel.one-sublevel.example.com'. -- This message was sent by Atlassian Jira (v7.12.1#712002)

7 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFWIP-101) SNI wildcard mappings match multiple level of subdomain

by Jan Stourac (Jira)

[ https://issues.jboss.org/browse/WFWIP-101?page=com.atlassian.jira.plugin.... ] Jan Stourac updated WFWIP-101: ------------------------------ Steps to Reproduce: # get and unzip WildFly # go to WildFly home and prepare keystores: {code} keytool -genkeypair -alias default-cert -keyalg RSA -keysize 1024 -validity 365 -keystore standalone/configuration/default.keystore.jks -dname "CN=default" -keypass secret -storepass secret keytool -genkeypair -alias asterisk-cert -keyalg RSA -keysize 1024 -validity 365 -keystore standalone/configuration/asterisk.keystore.jks -dname "CN=asterisk" -keypass secret -storepass secret {code} # start server, connect to CLI and configure SNI mappings: {code} /subsystem=elytron/key-store=defaultKS:add(path=default.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-store=asteriskKS:add(path=asterisk.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-manager=defaultKM:add(key-store=defaultKS,algorithm="SunX509",credential-reference={clear-text=secret}) /subsystem=elytron/key-manager=asteriskKM:add(key-store=asteriskKS,algorithm="SunX509",credential-reference={clear-text=secret}) /subsystem=elytron/server-ssl-context=defaultSSC:add(key-manager=defaultKM,protocols=["TLSv1.2"]) /subsystem=elytron/server-ssl-context=asteriskSSC:add(key-manager=asteriskKM,protocols=["TLSv1.2"]) /subsystem=elytron/server-ssl-sni-context=sniSSC:add(default-ssl-context=defaultSSC, host-context-map={".*\\.example\\.com"=asteriskSSC}) batch /subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm) /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=sniSSC) run-batch reload {code} # check how SNI works e.g. via OpenSSL s_client tool: {code} openssl s_client -showcerts -connect localhost:8443 -servername first-sublevel.example.com openssl s_client -showcerts -connect localhost:8443 -servername second-sublevel.first-sublevel.example.com {code} was: # configure Undertow HTTPS listener with Elytron server-ssl-sni-context with SNI mapping {code} .*\\.example\\.com {code} # perform handshake with SNIHostName _twosublevel.onesublevel.example.com_ > SNI wildcard mappings match multiple level of subdomain > ------------------------------------------------------- > > Key: WFWIP-101 > URL: https://issues.jboss.org/browse/WFWIP-101 > Project: WildFly WIP > Issue Type: Bug > Environment: Wildfly build with undertow and wildfly-core modules build from following sources: > * https://github.com/stuartwdouglas/undertow/tree/sni > * https://github.com/stuartwdouglas/wildfly-core/tree/sni > Reporter: Pavel Jelinek > Assignee: Stuart Douglas > Priority: Major > Labels: SNI > > Based on the [text from analasys|https://github.com/wildfly/wildfly-proposals/blob/master/securit...]: > {quote} > Wildcard names use * as a wildcard, and can only be used to match a single level of subdomain in much the same way as with wildcard certificates. > {quote} > As such, in case I have configured SNI mapping for '.*\\.example\\.com', I expect that this mapping is selected for any single level of subdomain of example.com although, in case of any extra subdomain, this mapping is not utilized. In other words, following hostnames should match: > {code} > test.example.com > another-test.example.com > {code} > although following should not be matched and default server-ssl-context shall be used instead: > {code} > two-sublevel.one-sublevel.example.com > {code} > Current behaviour also matches also 'two-sublevel.one-sublevel.example.com'. -- This message was sent by Atlassian Jira (v7.12.1#712002)

7 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFWIP-100) SNI - exact hostname match is not prefered to match with wildcart

by Jan Stourac (Jira)

[ https://issues.jboss.org/browse/WFWIP-100?page=com.atlassian.jira.plugin.... ] Jan Stourac edited comment on WFWIP-100 at 1/30/19 7:01 AM: ------------------------------------------------------------ This issue is no longer present in current implementation. Checked with {{WildFly 15.0.0.Final}}. Closing as fixed. Note - just for a future reference, here is more comprehensive reproduction list of steps: # get and unzip WildFly # go to WildFly home and prepare keystores: {code} keytool -genkeypair -alias default-cert -keyalg RSA -keysize 1024 -validity 365 -keystore standalone/configuration/default.keystore.jks -dname "CN=default" -keypass secret -storepass secret keytool -genkeypair -alias exact-cert -keyalg RSA -keysize 1024 -validity 365 -keystore standalone/configuration/exact.keystore.jks -dname "CN=exact" -keypass secret -storepass secret keytool -genkeypair -alias asterisk-cert -keyalg RSA -keysize 1024 -validity 365 -keystore standalone/configuration/asterisk.keystore.jks -dname "CN=asterisk" -keypass secret -storepass secret {code} # start server, connect to CLI and configure SNI mappings: {code} /subsystem=elytron/key-store=defaultKS:add(path=default.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-store=exactKS:add(path=exact.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-store=asteriskKS:add(path=asterisk.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-manager=defaultKM:add(key-store=defaultKS,algorithm="SunX509",credential-reference={clear-text=secret}) /subsystem=elytron/key-manager=exactKM:add(key-store=exactKS,algorithm="SunX509",credential-reference={clear-text=secret}) /subsystem=elytron/key-manager=asteriskKM:add(key-store=asteriskKS,algorithm="SunX509",credential-reference={clear-text=secret}) /subsystem=elytron/server-ssl-context=defaultSSC:add(key-manager=defaultKM,protocols=["TLSv1.2"]) /subsystem=elytron/server-ssl-context=exactSSC:add(key-manager=exactKM,protocols=["TLSv1.2"]) /subsystem=elytron/server-ssl-context=asteriskSSC:add(key-manager=asteriskKM,protocols=["TLSv1.2"]) /subsystem=elytron/server-ssl-sni-context=sniSSC:add(default-ssl-context=defaultSSC, host-context-map={"www\\.example\\.com"=exactSSC,".*\\.example\\.com"=asteriskSSC}) batch /subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm) /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=sniSSC) run-batch reload {code} # check how SNI works e.g. via OpenSSL s_client tool: {code} openssl s_client -showcerts -connect localhost:8443 -servername www.example.com openssl s_client -showcerts -connect localhost:8443 -servername non-www.example.com {code} was (Author: jstourac): This issue is no longer present in current implementation. Checked with {{WildFly 15.0.0.Final}}. Closing as fixed. > SNI - exact hostname match is not prefered to match with wildcart > ----------------------------------------------------------------- > > Key: WFWIP-100 > URL: https://issues.jboss.org/browse/WFWIP-100 > Project: WildFly WIP > Issue Type: Bug > Environment: Wildfly build with undertow and wildfly-core modules build from following sources: > * https://github.com/stuartwdouglas/undertow/tree/sni > * https://github.com/stuartwdouglas/wildfly-core/tree/sni > Reporter: Pavel Jelinek > Assignee: Stuart Douglas > Priority: Major > Labels: SNI > > Client got peer certificate mapped by the more general mapping > {code} > .*\\.example\\.com > {code} -- This message was sent by Atlassian Jira (v7.12.1#712002)

7 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-1478) DefaultOperationRequestAddress.appendPath loses Node.name

by Jean-Francois Denise (Jira)

[ https://issues.jboss.org/browse/WFCORE-1478?page=com.atlassian.jira.plugi... ] Jean-Francois Denise commented on WFCORE-1478: ---------------------------------------------- [~vmarek], I added a unit test. This only impacts CLI API, no impact on CLI functionality. > DefaultOperationRequestAddress.appendPath loses Node.name > --------------------------------------------------------- > > Key: WFCORE-1478 > URL: https://issues.jboss.org/browse/WFCORE-1478 > Project: WildFly Core > Issue Type: Bug > Components: CLI > Reporter: Jean-Francois Denise > Assignee: Jean-Francois Denise > Priority: Major > > Ran into this obvious issue reading code. Not even sure this method is used somewhere. > for(Node n : path) { > nodes.add(new NodeImpl(n.getType(),* n.getType()*)); > } -- This message was sent by Atlassian Jira (v7.12.1#712002)

7 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFWIP-101) SNI wildcard mappings match multiple level of subdomain

by Jan Stourac (Jira)

[ https://issues.jboss.org/browse/WFWIP-101?page=com.atlassian.jira.plugin.... ] Jan Stourac updated WFWIP-101: ------------------------------ Description: Based on the [text from analasys|https://github.com/wildfly/wildfly-proposals/blob/master/securit...] {quote} Wildcard names use * as a wildcard, and can only be used to match a single level of subdomain in much the same way as with wildcard certificates. {quote} As such, in case I have configured SNI mapping for ' The client got peer certificate mapped by the mapping despite the wildcard matches more than one level of a subdomain. was:The client got peer certificate mapped by the mapping despite the wildcard matches more than one level of a subdomain. > SNI wildcard mappings match multiple level of subdomain > ------------------------------------------------------- > > Key: WFWIP-101 > URL: https://issues.jboss.org/browse/WFWIP-101 > Project: WildFly WIP > Issue Type: Bug > Environment: Wildfly build with undertow and wildfly-core modules build from following sources: > * https://github.com/stuartwdouglas/undertow/tree/sni > * https://github.com/stuartwdouglas/wildfly-core/tree/sni > Reporter: Pavel Jelinek > Assignee: Stuart Douglas > Priority: Major > Labels: SNI > > Based on the [text from analasys|https://github.com/wildfly/wildfly-proposals/blob/master/securit...] > {quote} > Wildcard names use * as a wildcard, and can only be used to match a single level of subdomain in much the same way as with wildcard certificates. > {quote} > As such, in case I have configured SNI mapping for ' > The client got peer certificate mapped by the mapping despite the wildcard matches more than one level of a subdomain. -- This message was sent by Atlassian Jira (v7.12.1#712002)

7 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFWIP-101) SNI wildcard mappings match multiple level of subdomain

by Jan Stourac (Jira)

[ https://issues.jboss.org/browse/WFWIP-101?page=com.atlassian.jira.plugin.... ] Jan Stourac updated WFWIP-101: ------------------------------ Description: Based on the [text from analasys|https://github.com/wildfly/wildfly-proposals/blob/master/securit...] {quote} Wildcard names use * as a wildcard, and can only be used to match a single level of subdomain in much the same way as with wildcard certificates. {quote} As such, in case I have configured SNI mapping for '.*\\.example\\.com', I expect that this mapping is selected for any single level of subdomain of example.com although, in case of any extra subdomain, this mapping is not utilized. In other words, following hostnames should match: {code} test.example.com another-test.example.com {code} although following should not be matched and default server-ssl-context shall be used instead: {code} two-sublevel.one-sublevel.example.com {code} Current behaviour also matches also 'two-sublevel.one-sublevel.example.com'. was: Based on the [text from analasys|https://github.com/wildfly/wildfly-proposals/blob/master/securit...] {quote} Wildcard names use * as a wildcard, and can only be used to match a single level of subdomain in much the same way as with wildcard certificates. {quote} As such, in case I have configured SNI mapping for ' The client got peer certificate mapped by the mapping despite the wildcard matches more than one level of a subdomain. > SNI wildcard mappings match multiple level of subdomain > ------------------------------------------------------- > > Key: WFWIP-101 > URL: https://issues.jboss.org/browse/WFWIP-101 > Project: WildFly WIP > Issue Type: Bug > Environment: Wildfly build with undertow and wildfly-core modules build from following sources: > * https://github.com/stuartwdouglas/undertow/tree/sni > * https://github.com/stuartwdouglas/wildfly-core/tree/sni > Reporter: Pavel Jelinek > Assignee: Stuart Douglas > Priority: Major > Labels: SNI > > Based on the [text from analasys|https://github.com/wildfly/wildfly-proposals/blob/master/securit...] > {quote} > Wildcard names use * as a wildcard, and can only be used to match a single level of subdomain in much the same way as with wildcard certificates. > {quote} > As such, in case I have configured SNI mapping for '.*\\.example\\.com', I expect that this mapping is selected for any single level of subdomain of example.com although, in case of any extra subdomain, this mapping is not utilized. In other words, following hostnames should match: > {code} > test.example.com > another-test.example.com > {code} > although following should not be matched and default server-ssl-context shall be used instead: > {code} > two-sublevel.one-sublevel.example.com > {code} > Current behaviour also matches also 'two-sublevel.one-sublevel.example.com'. -- This message was sent by Atlassian Jira (v7.12.1#712002)

7 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFWIP-101) SNI wildcard mappings match multiple level of subdomain

by Jan Stourac (Jira)

[ https://issues.jboss.org/browse/WFWIP-101?page=com.atlassian.jira.plugin.... ] Jan Stourac updated WFWIP-101: ------------------------------ Description: Based on the [text from analasys|https://github.com/wildfly/wildfly-proposals/blob/master/securit...]: {quote} Wildcard names use * as a wildcard, and can only be used to match a single level of subdomain in much the same way as with wildcard certificates. {quote} As such, in case I have configured SNI mapping for '.*\\.example\\.com', I expect that this mapping is selected for any single level of subdomain of example.com although, in case of any extra subdomain, this mapping is not utilized. In other words, following hostnames should match: {code} test.example.com another-test.example.com {code} although following should not be matched and default server-ssl-context shall be used instead: {code} two-sublevel.one-sublevel.example.com {code} Current behaviour also matches also 'two-sublevel.one-sublevel.example.com'. was: Based on the [text from analasys|https://github.com/wildfly/wildfly-proposals/blob/master/securit...] {quote} Wildcard names use * as a wildcard, and can only be used to match a single level of subdomain in much the same way as with wildcard certificates. {quote} As such, in case I have configured SNI mapping for '.*\\.example\\.com', I expect that this mapping is selected for any single level of subdomain of example.com although, in case of any extra subdomain, this mapping is not utilized. In other words, following hostnames should match: {code} test.example.com another-test.example.com {code} although following should not be matched and default server-ssl-context shall be used instead: {code} two-sublevel.one-sublevel.example.com {code} Current behaviour also matches also 'two-sublevel.one-sublevel.example.com'. > SNI wildcard mappings match multiple level of subdomain > ------------------------------------------------------- > > Key: WFWIP-101 > URL: https://issues.jboss.org/browse/WFWIP-101 > Project: WildFly WIP > Issue Type: Bug > Environment: Wildfly build with undertow and wildfly-core modules build from following sources: > * https://github.com/stuartwdouglas/undertow/tree/sni > * https://github.com/stuartwdouglas/wildfly-core/tree/sni > Reporter: Pavel Jelinek > Assignee: Stuart Douglas > Priority: Major > Labels: SNI > > Based on the [text from analasys|https://github.com/wildfly/wildfly-proposals/blob/master/securit...]: > {quote} > Wildcard names use * as a wildcard, and can only be used to match a single level of subdomain in much the same way as with wildcard certificates. > {quote} > As such, in case I have configured SNI mapping for '.*\\.example\\.com', I expect that this mapping is selected for any single level of subdomain of example.com although, in case of any extra subdomain, this mapping is not utilized. In other words, following hostnames should match: > {code} > test.example.com > another-test.example.com > {code} > although following should not be matched and default server-ssl-context shall be used instead: > {code} > two-sublevel.one-sublevel.example.com > {code} > Current behaviour also matches also 'two-sublevel.one-sublevel.example.com'. -- This message was sent by Atlassian Jira (v7.12.1#712002)

7 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-4297) Add constant to Phase for jaxrs

by Marek Kopecký (Jira)

[ https://issues.jboss.org/browse/WFCORE-4297?page=com.atlassian.jira.plugi... ] Marek Kopecký updated WFCORE-4297: ---------------------------------- Priority: Critical (was: Major) > Add constant to Phase for jaxrs > ------------------------------- > > Key: WFCORE-4297 > URL: https://issues.jboss.org/browse/WFCORE-4297 > Project: WildFly Core > Issue Type: Enhancement > Components: Server > Affects Versions: 8.0.0.Beta3 > Reporter: R Searls > Assignee: R Searls > Priority: Critical > > A new Processor class is being added to jaxrs deployment process. A new constant > is needed for this. -- This message was sent by Atlassian Jira (v7.12.1#712002)

7 years, 3 months

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira January 2019