Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
1.14.0, 1.15.0, 1.16.0, 1.17.0, 1.16.1
-
None
Description
When the dispatch router is configured with an Auth Server Plugin that should be accessed via a TLS connection, then the router includes the TLS Server Name Indication extension (https://datatracker.ietf.org/doc/html/rfc6066) in its TLS ServerHello message but sets the host_name to a value that is not a domain name as mandated by the RFC. Instead, it sets the host_name to a combination of the server name and the port configured for the Auth Server Plugin. So, for Auth Server Plugin configuration
["authServicePlugin",
{ "name": "My Auth Server", "host": "my-auth-server.host}",
"port": 5671,
"sslProfile": "external"
}]
the host_name set in the server_name extension is
my-auth-server.host:5671
which is not a valid domain name.
The TLS implementation that comes with Java 17 will fail the TLS handshake with the dispatch router due to an illegal character in the host_name.
I believe that this problem may also arise with other outbound connections that the router creates.
FMPOV the port suffix simply needs to be removed.