Details
-
Task
-
Status: Closed
-
Major
-
Resolution: Fixed
-
3.5.0, 3.4.5
-
None
-
Unknown
Description
After Jetty is upgraded to 11.x, the SniHostCheck is actually enabled after this change : https://github.com/eclipse/jetty.project/pull/6078.
The request ip address is 127.0.0.1 and there isn't in the allowed adress list, hence the SSLNettyClientTest fails:
[INFO] Running org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest [ERROR] Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 4.38 s <<< FAILURE! - in org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest [ERROR] org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest.testInvocation Time elapsed: 0.482 s <<< ERROR! jakarta.xml.ws.WebServiceException: Could not send Message. at org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest.testInvocation(SSLNettyClientTest.java:103) Caused by: org.apache.cxf.transport.http.HTTPException: HTTP response '400: Invalid SNI' when communicating with https://localhost:36101/SoapContext/SoapPort at org.apache.cxf.transport.http.netty.client.integration.SSLNettyClientTest.testInvocation(SSLNettyClientTest.java:103)
CXF 3.5.0 includes Jetty 9.4.44 and jetty's SecureRequestCustomizer happens skip sniHostCheck when the x509 is null and sniRequired is false:
SSLSession sslSession = sslEngine.getSession(); if (_sniHostCheck || _sniRequired) { X509 x509 = (X509)sslSession.getValue(SniX509ExtendedKeyManager.SNI_X509); if (LOG.isDebugEnabled()) LOG.debug("Host {} with SNI {}", request.getServerName(), x509); if (x509 == null) { if (_sniRequired) throw new BadMessageException(400, "SNI required"); } else if (_sniHostCheck && !x509.matches(request.getServerName())) { throw new BadMessageException(400, "Host does not match SNI"); } }
This means it doesn't execute sniHostCheck even the default value is true. See this issue: https://github.com/eclipse/jetty.project/issues/5379
Attachments
Issue Links
- is a child of
-
-
- Closed
-
- links to