-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Peter,
On 11/11/14 4:03 PM, Peter Robbins wrote: > Hi there, I’m running into an issue with fully-qualified domain > names and https using Tomcat 8 and JDK 8. Tomcat version: 8.0.14 > JDK Version: 1.8.0_25OS: Mac OS X 10.10 > > If you include the trailing dot in a request over https, the TLS > handshake will fail. It appears that it tries to fall back to > SSLv3, but if you have SSLv3 disabled, the whole thing just fails. If you have SSLv3 enabled, does it succeed? > My SSL Connector looks like this: <Connector SSLEnabled="true" > URIEncoding="UTF-8" acceptCount="100" clientAuth="false" debug="1" > disableUploadTimeout="true" enableLookups="false" > keystoreFile="../keystore.jks" keystorePass="password" > maxHttpHeaderSize="8192" keyAlias="selfsigned" port="8443" > protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" > secure="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"> > > > https://localhost.:8443 in Chrome 38 returns > ERR_SSL_VERSION_OR_CIPHER_MISMATCH. > > The output from javax.net.debug=all contains this: > http-bio-8443-exec-5, handling exception: > javax.net.ssl.SSLProtocolException: Illegal server name, > type=host_name(0), name=localhost., > value=6c:6f:63:61:6c:68:6f:73:74:2e Can we get a full stack trace please? > This looks like it’s being bubbled up from the SNIHostName > constructor in Java 8 > (https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SNIHostName.html), > > which explicitly forbids trailing dots in hostnames (valid hostname, but > not a valid SNI hostname). I’m not using SNI, but to make sure I > set jsse.enableSNIExtension=false. The exception is still thrown, > leading me to believe that the SNIHostName constructor is being > called whether SNI is enabled or not. > > > Why not just remove the trailing dot? Well, it’s valid to be there, > so why not support it. More importantly, we make use of this to get > around TLS session caching as discussed here: > https://developer.apple.com/library/ios/qa/qa1727/_index.html. > > > This issue is not present in Tomcat 7 or using Java 7. I have a > small PoC I can zip up and host somewhere if anyone wants to take a > look. > > Does anyone know if this looks like a bug in Tomcat 8 or Java 8 and > where I should submit a bug report if it does? This is unlikely to be a bug in Tomcat but it doesn't mean that Tomcat can't mitigate it if there is a strong enough use case. One could argue that Apache httpd supports the inclusion of trailing dots (cf. https://www.apache.org./) so Tomcat should, but httpd supports connecting to an SSL-enabled port without providing an SSL handshake, in which case httpd replies in plain-text the likely problem, and Tomcat/JSEE just kills the connection, and nobody has been motivated to "fix" that lack of feature-parity, so there's no guarantee that anyone will spend a great deal of time on this. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUZRClAAoJEBzwKT+lPKRYInEP/3R2et1gVF6Ws0cTZaoQCHxw Ss6XKOBpLdaHU2fSMlBYSiNKgBkFFZmv60zBL4t931nj/etEgMBYUPdURCc7jwTy IXkjn5O9et+yz+A0oy7VGTcEoDkQjqlQkBkcVxHp60D0F6VolXwPSp1q9vgAqOZ2 EZob8Ig3KPJQEjAuaRrpAOdy3HK54eNkpapdty5OmYr+6vQZRBpLDu2WvQo6IFiD sY8eq6alryYw4kJFgjKMdNx0GMXdflWqOeYl8FOfjyC4G0+MzoxkfQKcAsO/0O+T xJtNC20wq8cy+Sbi30M+7U/gzhq5hQ35L8ZcqtsyrDBxeGpkgrX6xyZ9UVWFBfg9 yUH2V0FOh0VBxf7CzZm9axxt4XKD62cNFceWxR/xVzoB6PB07l0WMDHO+uDHqw8A 8dstM5C4657mGk4wzV74mcITlD6GsfsACU+Cmf+gN0eX04g8BT13d3ywkagD6nVp X8MdjosV/yZrmvSJKjp9fMBzWAyY+jyOp6j4ZqV/8Ctx/cJ0Czp5iFnIxQ2eGfUU EdwKvoUEayT7KseuEiH/ke9/IV7K2oUCHWQRq610B3lziEAWKXtKauQGYaG7muve 9/sHD91rZQ/iXVOvbdxvTnmNUf6Rv7kG500euph+kKYxjNsplzKtvW3tvHixmC7q //XaOQGj8Tiix/yuuEX5 =MC0o -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
