[jira] [Resolved] (CXF-8668) Set SniHostCheck to false for SSLNettyClientTest

Thu, 07 Apr 2022 04:28:04 -0700 


     [ 
https://issues.apache.org/jira/browse/CXF-8668?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jim Ma resolved CXF-8668.
-------------------------
    Resolution: Fixed

> Set SniHostCheck to false for SSLNettyClientTest
> ------------------------------------------------
>
>                 Key: CXF-8668
>                 URL: https://issues.apache.org/jira/browse/CXF-8668
>             Project: CXF
>          Issue Type: Task
>          Components: Transports
>    Affects Versions: 3.5.0, 3.4.5
>            Reporter: Jim Ma
>            Assignee: Jim Ma
>            Priority: Major
>             Fix For: 3.5.2, 3.4.7, 4.0.0
>
>
> After Jetty is upgraded to 11.x, the SniHostCheck is actually enabled after 
> this change : [https://github.com/eclipse/jetty.project/pull/6078.] 
> The request ip address is 127.0.0.1 and there isn't in the allowed adress 
> list, hence the SSLNettyClientTest fails:
> {code:java}
> [INFO] Running 
> org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest
> [ERROR] Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 4.38 
> s <<< FAILURE! - in 
> org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest
> [ERROR] 
> org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest.testInvocation
>   Time elapsed: 0.482 s  <<< ERROR!
> jakarta.xml.ws.WebServiceException: Could not send Message.
>     at 
> org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest.testInvocation(SSLNettyClientTest.java:103)
> Caused by: org.apache.cxf.transport.http.HTTPException: HTTP response '400: 
> Invalid SNI' when communicating with 
> https://localhost:36101/SoapContext/SoapPort
>     at 
> org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest.testInvocation(SSLNettyClientTest.java:103){code}
>  
> CXF 3.5.0 includes Jetty 9.4.44 and jetty's SecureRequestCustomizer happens 
> skip sniHostCheck when the x509 is null and sniRequired is false:
> {code:java}
> SSLSession sslSession = sslEngine.getSession();
> if (_sniHostCheck || _sniRequired)
> {
>    X509 x509 = (X509)sslSession.getValue(SniX509ExtendedKeyManager.SNI_X509);
> if (LOG.isDebugEnabled())
>   LOG.debug("Host {} with SNI {}", request.getServerName(), x509);
> if (x509 == null)
> {
>   if (_sniRequired)
>     throw new BadMessageException(400, "SNI required");
>   }
>     else if (_sniHostCheck && !x509.matches(request.getServerName()))
>   {
>     throw new BadMessageException(400, "Host does not match SNI");
>    }
> }{code}
> This means it doesn't execute sniHostCheck even the default value is true. 
> See this issue: https://github.com/eclipse/jetty.project/issues/5379
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to