[jboss-jira] [JBoss JIRA] (WFWIP-100) SNI - exact hostname match is not prefered to match with wildcart
Jan Stourac (Jira)
issues at jboss.org
Wed Jan 30 07:02:00 EST 2019
[ https://issues.jboss.org/browse/WFWIP-100?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13689026#comment-13689026 ]
Jan Stourac edited comment on WFWIP-100 at 1/30/19 7:01 AM:
------------------------------------------------------------
This issue is no longer present in current implementation. Checked with {{WildFly 15.0.0.Final}}. Closing as fixed.
Note - just for a future reference, here is more comprehensive reproduction list of steps:
# get and unzip WildFly
# go to WildFly home and prepare keystores:
{code}
keytool -genkeypair -alias default-cert -keyalg RSA -keysize 1024 -validity 365 -keystore standalone/configuration/default.keystore.jks -dname "CN=default" -keypass secret -storepass secret
keytool -genkeypair -alias exact-cert -keyalg RSA -keysize 1024 -validity 365 -keystore standalone/configuration/exact.keystore.jks -dname "CN=exact" -keypass secret -storepass secret
keytool -genkeypair -alias asterisk-cert -keyalg RSA -keysize 1024 -validity 365 -keystore standalone/configuration/asterisk.keystore.jks -dname "CN=asterisk" -keypass secret -storepass secret
{code}
# start server, connect to CLI and configure SNI mappings:
{code}
/subsystem=elytron/key-store=defaultKS:add(path=default.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
/subsystem=elytron/key-store=exactKS:add(path=exact.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
/subsystem=elytron/key-store=asteriskKS:add(path=asterisk.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
/subsystem=elytron/key-manager=defaultKM:add(key-store=defaultKS,algorithm="SunX509",credential-reference={clear-text=secret})
/subsystem=elytron/key-manager=exactKM:add(key-store=exactKS,algorithm="SunX509",credential-reference={clear-text=secret})
/subsystem=elytron/key-manager=asteriskKM:add(key-store=asteriskKS,algorithm="SunX509",credential-reference={clear-text=secret})
/subsystem=elytron/server-ssl-context=defaultSSC:add(key-manager=defaultKM,protocols=["TLSv1.2"])
/subsystem=elytron/server-ssl-context=exactSSC:add(key-manager=exactKM,protocols=["TLSv1.2"])
/subsystem=elytron/server-ssl-context=asteriskSSC:add(key-manager=asteriskKM,protocols=["TLSv1.2"])
/subsystem=elytron/server-ssl-sni-context=sniSSC:add(default-ssl-context=defaultSSC, host-context-map={"www\\.example\\.com"=exactSSC,".*\\.example\\.com"=asteriskSSC})
batch
/subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=sniSSC)
run-batch
reload
{code}
# check how SNI works e.g. via OpenSSL s_client tool:
{code}
openssl s_client -showcerts -connect localhost:8443 -servername www.example.com
openssl s_client -showcerts -connect localhost:8443 -servername non-www.example.com
{code}
was (Author: jstourac):
This issue is no longer present in current implementation. Checked with {{WildFly 15.0.0.Final}}. Closing as fixed.
> SNI - exact hostname match is not prefered to match with wildcart
> -----------------------------------------------------------------
>
> Key: WFWIP-100
> URL: https://issues.jboss.org/browse/WFWIP-100
> Project: WildFly WIP
> Issue Type: Bug
> Environment: Wildfly build with undertow and wildfly-core modules build from following sources:
> * https://github.com/stuartwdouglas/undertow/tree/sni
> * https://github.com/stuartwdouglas/wildfly-core/tree/sni
> Reporter: Pavel Jelinek
> Assignee: Stuart Douglas
> Priority: Major
> Labels: SNI
>
> Client got peer certificate mapped by the more general mapping
> {code}
> .*\\.example\\.com
> {code}
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
More information about the jboss-jira
mailing list