[ https://issues.apache.org/jira/browse/CXF-8668?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jim Ma resolved CXF-8668. ------------------------- Resolution: Fixed > Set SniHostCheck to false for SSLNettyClientTest > ------------------------------------------------ > > Key: CXF-8668 > URL: https://issues.apache.org/jira/browse/CXF-8668 > Project: CXF > Issue Type: Task > Components: Transports > Affects Versions: 3.5.0, 3.4.5 > Reporter: Jim Ma > Assignee: Jim Ma > Priority: Major > Fix For: 3.5.2, 3.4.7, 4.0.0 > > > After Jetty is upgraded to 11.x, the SniHostCheck is actually enabled after > this change : [https://github.com/eclipse/jetty.project/pull/6078.] > The request ip address is 127.0.0.1 and there isn't in the allowed adress > list, hence the SSLNettyClientTest fails: > {code:java} > [INFO] Running > org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest > [ERROR] Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 4.38 > s <<< FAILURE! - in > org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest > [ERROR] > org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest.testInvocation > Time elapsed: 0.482 s <<< ERROR! > jakarta.xml.ws.WebServiceException: Could not send Message. > at > org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest.testInvocation(SSLNettyClientTest.java:103) > Caused by: org.apache.cxf.transport.http.HTTPException: HTTP response '400: > Invalid SNI' when communicating with > https://localhost:36101/SoapContext/SoapPort > at > org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest.testInvocation(SSLNettyClientTest.java:103){code} > > CXF 3.5.0 includes Jetty 9.4.44 and jetty's SecureRequestCustomizer happens > skip sniHostCheck when the x509 is null and sniRequired is false: > {code:java} > SSLSession sslSession = sslEngine.getSession(); > if (_sniHostCheck || _sniRequired) > { > X509 x509 = (X509)sslSession.getValue(SniX509ExtendedKeyManager.SNI_X509); > if (LOG.isDebugEnabled()) > LOG.debug("Host {} with SNI {}", request.getServerName(), x509); > if (x509 == null) > { > if (_sniRequired) > throw new BadMessageException(400, "SNI required"); > } > else if (_sniHostCheck && !x509.matches(request.getServerName())) > { > throw new BadMessageException(400, "Host does not match SNI"); > } > }{code} > This means it doesn't execute sniHostCheck even the default value is true. > See this issue: https://github.com/eclipse/jetty.project/issues/5379 > -- This message was sent by Atlassian Jira (v8.20.1#820001)