[jboss-jira] [JBoss JIRA] (WFWIP-101) SNI wildcard mappings match multiple level of subdomain
Jan Stourac (Jira)
issues at jboss.org
Wed Jan 30 07:14:08 EST 2019
[ https://issues.jboss.org/browse/WFWIP-101?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jan Stourac updated WFWIP-101:
------------------------------
Steps to Reproduce:
# get and unzip WildFly
# go to WildFly home and prepare keystores:
{code}
keytool -genkeypair -alias default-cert -keyalg RSA -keysize 1024 -validity 365 -keystore standalone/configuration/default.keystore.jks -dname "CN=default" -keypass secret -storepass secret
keytool -genkeypair -alias asterisk-cert -keyalg RSA -keysize 1024 -validity 365 -keystore standalone/configuration/asterisk.keystore.jks -dname "CN=asterisk" -keypass secret -storepass secret
{code}
# start server, connect to CLI and configure SNI mappings:
{code}
/subsystem=elytron/key-store=defaultKS:add(path=default.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
/subsystem=elytron/key-store=asteriskKS:add(path=asterisk.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
/subsystem=elytron/key-manager=defaultKM:add(key-store=defaultKS,algorithm="SunX509",credential-reference={clear-text=secret})
/subsystem=elytron/key-manager=asteriskKM:add(key-store=asteriskKS,algorithm="SunX509",credential-reference={clear-text=secret})
/subsystem=elytron/server-ssl-context=defaultSSC:add(key-manager=defaultKM,protocols=["TLSv1.2"])
/subsystem=elytron/server-ssl-context=asteriskSSC:add(key-manager=asteriskKM,protocols=["TLSv1.2"])
/subsystem=elytron/server-ssl-sni-context=sniSSC:add(default-ssl-context=defaultSSC, host-context-map={".*\\.example\\.com"=asteriskSSC})
batch
/subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=sniSSC)
run-batch
reload
{code}
# check how SNI works e.g. via OpenSSL s_client tool:
{code}
openssl s_client -showcerts -connect localhost:8443 -servername first-sublevel.example.com
openssl s_client -showcerts -connect localhost:8443 -servername second-sublevel.first-sublevel.example.com
{code}
was:
# configure Undertow HTTPS listener with Elytron server-ssl-sni-context with SNI mapping
{code}
.*\\.example\\.com
{code}
# perform handshake with SNIHostName _twosublevel.onesublevel.example.com_
> SNI wildcard mappings match multiple level of subdomain
> -------------------------------------------------------
>
> Key: WFWIP-101
> URL: https://issues.jboss.org/browse/WFWIP-101
> Project: WildFly WIP
> Issue Type: Bug
> Environment: Wildfly build with undertow and wildfly-core modules build from following sources:
> * https://github.com/stuartwdouglas/undertow/tree/sni
> * https://github.com/stuartwdouglas/wildfly-core/tree/sni
> Reporter: Pavel Jelinek
> Assignee: Stuart Douglas
> Priority: Major
> Labels: SNI
>
> Based on the [text from analasys|https://github.com/wildfly/wildfly-proposals/blob/master/security/WFCORE-3873_SNI_Support.adoc#hard-requirements]:
> {quote}
> Wildcard names use * as a wildcard, and can only be used to match a single level of subdomain in much the same way as with wildcard certificates.
> {quote}
> As such, in case I have configured SNI mapping for '.*\\.example\\.com', I expect that this mapping is selected for any single level of subdomain of example.com although, in case of any extra subdomain, this mapping is not utilized. In other words, following hostnames should match:
> {code}
> test.example.com
> another-test.example.com
> {code}
> although following should not be matched and default server-ssl-context shall be used instead:
> {code}
> two-sublevel.one-sublevel.example.com
> {code}
> Current behaviour also matches also 'two-sublevel.one-sublevel.example.com'.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
More information about the jboss-jira
mailing list