Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL handshake fails when client authentication is enabled and starter-jetty is used #17541

Closed
kmailkarthik opened this issue Jul 17, 2019 · 2 comments
Closed

SSL handshake fails when client authentication is enabled and starter-jetty is used #17541

kmailkarthik opened this issue Jul 17, 2019 · 2 comments
Assignees
@wilkinsona
Labels
type: bug A general bug
Milestone
2.1.8

Comments

@kmailkarthik
Copy link

SSL handshake fails when using embedded jetty and client authentication for incoming requests.

Version:

2.1.6.RELEASE

Steps to reproduce:

  1. Exclude starter-tomcat and include starter-jetty.
  2. Configure server.ssl.client-auth to NEED
  3. Send a request with client certificate.
  4. Below logs will be seen on server( debug has to be enabled)
Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address <redacted> found
	at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:154) ~[na:1.8.0_40]
	at sun.security.util.HostnameChecker.match(HostnameChecker.java:91) ~[na:1.8.0_40]
	at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455) ~[na:1.8.0_40]
	at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436) ~[na:1.8.0_40]
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252) ~[na:1.8.0_40]
	at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:130) ~[na:1.8.0_40]
	at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1835) ~[na:1.8.0_40]
	... 24 common frames omitted

  1. Sample project to reproduce the issue.

    https://github.com/kmailkarthik/demo-springboot-issue

Root cause:

jetty/jetty.project#3454
jetty/jetty.project#3464

Fix:

Tried to change SslContextFactory to SslContextFactory.Server in below fork and it fixes the issue.

https://github.com/kmailkarthik/spring-boot/tree/2.1.x
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jul 17, 2019
@wilkinsona
Copy link
Member

I noticed this when upgrading to 9.4.15 but may have misdiagnosed the problem. It can be avoided by adding subject alternative names to the certificates which I did in 946e826.

@philwebb philwebb added the for: team-attention An issue we'd like other members of the team to review label Jul 24, 2019
@bbende
Copy link

bbende commented Jul 28, 2019

I'm not totally sure about this, but I think typically only a server certificate would have a SAN, but not a client certificate for an end-user.

We have a similar issue to what is described in this JIRA and from reading Jetty 3454, they basically made the endpoint identification enabled by default in SSLContextFactory, but its only meant to be used on the client side, but since SSLContextFactory is used on both client and server side, it requires the server to disable it.

Given the above, I was thinking in the SslServerCustomizer it should probably use SslContextFactory.Server and call contextFactory.setEndpointIdentificationAlgorithm(null); by default.

@wilkinsona wilkinsona added type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged labels Aug 16, 2019
@wilkinsona wilkinsona added this to the 2.1.x milestone Aug 16, 2019
@philwebb philwebb removed the for: team-attention An issue we'd like other members of the team to review label Aug 23, 2019
@wilkinsona wilkinsona self-assigned this Sep 1, 2019
@wilkinsona wilkinsona mentioned this issue Sep 1, 2019
Closed
@wilkinsona wilkinsona modified the milestones: 2.1.x, 2.1.8 Sep 1, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wilkinsona wilkinsona

Labels
type: bug A general bug
Projects
None yet
Milestone
2.1.8
Development

No branches or pull requests
5 participants
@philwebb @bbende @wilkinsona @kmailkarthik @spring-projects-issues