[jboss-jira] [JBoss JIRA] (WFCORE-4302) SNI wildcard mappings match multiple level of subdomain

Jan Stourac (Jira) issues at jboss.org
Fri Mar 29 12:59:02 EDT 2019 

    [ https://issues.jboss.org/browse/WFCORE-4302?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13715162#comment-13715162 ] 

Jan Stourac commented on WFCORE-4302:
-------------------------------------

[~mmazanek], I understand your point. Although, actually the correct variant is:
{code}
host-context-map={".*\\..*\\.example\\.com"=defaultSSC, "[^.]*\\.example\\.com"=asteriskSSC}
{code}
or simply
{code}
host-context-map={"[^.]*\\.example\\.com"=asteriskSSC}
{code}

Yeah... so user has to be aware that he has to provide correct regular expression instead of a simple notation.

> SNI wildcard mappings match multiple level of subdomain
> -------------------------------------------------------
>
>                 Key: WFCORE-4302
>                 URL: https://issues.jboss.org/browse/WFCORE-4302
>             Project: WildFly Core
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 7.0.0.Final
>         Environment: Wildfly build with undertow and wildfly-core modules build from following sources:
> * https://github.com/stuartwdouglas/undertow/tree/sni
> * https://github.com/stuartwdouglas/wildfly-core/tree/sni
>            Reporter: Pavel Jelinek
>            Assignee: Martin Mazanek
>            Priority: Major
>              Labels: SNI
>
> Based on the [text from analasys|https://github.com/wildfly/wildfly-proposals/blob/master/security/WFCORE-3873_SNI_Support.adoc#hard-requirements]:
> {quote}
> Wildcard names use * as a wildcard, and can only be used to match a single level of subdomain in much the same way as with wildcard certificates.
> {quote}
> As such, in case I have configured SNI mapping for:
> {code}
> .*\\.example\\.com
> {code}
> I expect that this mapping is selected for any single level of subdomain of example.com although, in case of any extra subdomain, this mapping is not utilized. In other words, following hostnames should match:
> {code}
> test.example.com
> another-test.example.com
> {code}
> although following should not be matched and default server-ssl-context shall be used instead:
> {code}
> two-sublevel.one-sublevel.example.com
> {code}
> Current behaviour also matches also 'two-sublevel.one-sublevel.example.com'.



--
This message was sent by Atlassian Jira
(v7.12.1#712002)

More information about the jboss-jira mailing list