endpointIdentificationAlgorithm enabled by default

[jborgland]

With commit e4d7860 the default value for endpointIdentificationAlgorithm was changed from null to HTTPS to "avoid warnings." The refererenced warnings were introduced as part of the same issue (#3049 ).

The result of this change is that a lot of (most?) client certificates will be rejected with the message No subject alternative names matching IP address <ip> found.

Section 3.2 of RFC 2818 states that Typically, the server has no external knowledge of what the client's identity ought to be and so checks (other than that the client has a certificate chain rooted in an appropriate CA) are not possible. so the new default value seems like a bad one (and so does the warning).

[joakime]

endpointIdentificationAlgorithm is for clients themselves to use to validate the certificates of the server against the hostname you used to connect.
The classes in jetty that use this would be, jetty's HttpClient, Http2Client, WebSocketClient, and javax.websocket ClientContainer.
Since SslContextFactory is a generic holder for all things SSL/TLS, both client and server, we do not know its intended use up front, your server defined one could be shared with ProxyServlet, websockets, clients, etc..

Have you just tried setting endpointIdentificationAlgorithm to null again in your configuration?

The No subject alternative names matching IP address <ip> found is typically a server side function and seems to indicate a SNI issue.
I feel that your analysis is pointing at the wrong part of the code.
The SNI code, on the other hand, has undergone some changes in regards to how it validates. (See: #2886, #2896, #3282)

[sbordet]

@jborgland endpointIdentificationAlgorithm=HTTPS was made to make the default usage of SslContextFactory for clients more secure by default.

Because you are using client certificates you are probably customizing already your server-side SslContextFactory so now you have to set endpointIdentificationAlgorithm=null and ignore the warning (which is emitted on a special logger that you can configure to not emit warnings).

Unfortunately there was no easy way to make both the client and the client certificate case on server side happy.
Since the latter is more rare, we have decided for the current status of things.

@joakime an alternative could be to have a SslContextFactory.Client and SslContextFactory.Server with slightly different default configurations and extra checks about the warnings (e.g. if instanceof Server then dont_warn_about_EIA).

[jborgland]

@joakime

The No subject alternative names matching IP address found is typically a server side function and seems to indicate a SNI issue.

My point exactly - the new default value essentially enabled functionality that shouldn't be enabled in this context.

@sbordet
Yes, I do create my own SslContextFactory instance and I've already updated my code to set the value to null (and that resolved the issue). Although I understand the reason for the change I'm not convinced it was a good choice - with Jetty being a servlet container I would expect that the most common use of the SslContextFactory would be for the server role. I noticed that someone else on the jetty-users list had run into the same issue a few weeks back (without a resolution in the mailing list at least).

Creating two separate ones sound like a reasonable way of solving the problem.

[joakime]

Closing in favor of the work being done in Issue #3464