Uploaded image for project: 'ActiveMQ Artemis'
  1. ActiveMQ Artemis
  2. ARTEMIS-3968

Optionally disable Management UI HTTPS SNI host checking

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Abandoned
    • 2.24.0
    • None
    • Web Console
    • None

    Description

      The Management UI, when configured to run in HTTPS mode, returns "HTTP ERROR 400 Invalid SNI" to the client browser if the web server's certificate (defined in the bootstrap.xml file's web element's keyStorePath attribute) does not contain the server's DNS name. It also prevents the browser from using "https://localhost...". This makes running the broker in a dev and test environment difficult. A work around is to run it in HTTP mode but this prevents exercising the HTTPS parameters and certificates.

      I think the upgrade from Jetty 9.x to 10.x caused SNI host checking to be enabled by default or at least more strictly enforced.

      I disabled SNI host checking by modifying org.apache.activemq.artemis.component.WebServerComponent in the following way:

      Current 2.24.0 version:

      httpConfiguration.addCustomizer(new SecureRequestCustomizer());

      Modified 2.24.0 version to disable SNI host checking:

      SecureRequestCustomizer secureRequestCustomizer = new SecureRequestCustomizer();
secureRequestCustomizer.setSniHostCheck(false);
httpConfiguration.addCustomizer(secureRequestCustomizer);

      Adding another binding attribute to the bootstrap.xml file's web element, like "disableSniHostCheck", and using it to set "secureRequestCustomizer.setSniHostCheck(false)" would allow a configurable way to disable SNI host checking.

      The following is provided for reference:

      Server Name Indication (SNI)

      https://stackoverflow.com/questions/69945173/http-error-400-invalid-sni-jetty-https-servlet

      Search for "jetty.ssl.sniHostCheck" in https://www.eclipse.org/jetty/documentation/jetty-10/operations-guide/index.html

      artemis.log entries:

      2022-08-31 21:35:39,512 WARN  [org.eclipse.jetty.server.HttpChannel] handleException /console org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI
2022-08-31 21:35:39,560 WARN  [org.eclipse.jetty.server.HttpChannel] handleException /favicon.ico org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI

      Browser message when trying to access https://localhost:8163/console with SNI host checking enabled and a certificate with a DNS entry that does not match the server:

      HTTP ERROR 400 Invalid SNI
URI:    /console
STATUS:    400
MESSAGE:    Invalid SNI
SERVLET:    -
CAUSED BY:    org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI
Caused by:
org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI
    at org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:266)
    at org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:207)
    at org.eclipse.jetty.server.HttpChannel.lambda$handle$0(HttpChannel.java:501)
    at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:762)
    at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:497)
    at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:282)
    at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:319)
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
    at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:558)
    at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:379)
    at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:146)
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
    at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
    at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:412)
    at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:381)
    at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:268)
    at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.lambda$new$0(AdaptiveExecutionStrategy.java:138)
    at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:407)
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:894)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1038)
    at java.base/java.lang.Thread.run(Thread.java:829)

      Attachments

        Issue Links

          is related to

          Improvement - An improvement or enhancement to an existing feature or task. ARTEMIS-4245 Expose web SNI settings

          • Major - Major loss of function.
          • Closed

          Activity

            People

              jbertram Justin Bertram
              steigerwalda Aaron Steigerwald
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: