Uploaded image for project: 'Apache Knox'
  1. Apache Knox
  2. KNOX-1346

SNI Mismatch Failures due to Wrong Host Header

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.1.0
    • Component/s: Server
    • Labels:
      None

      Description

      It has come to my attention that proxying various services is failing when access to the backend service is over TLS due to an SNI Mismatch. This is due to the Host header not matching the Server Name Indicator (SNI).

      We have been doing a combination of excluding the Host header from being dispatched to some services while sending a Host header that was what the client used to call Knox gateway. Both of these conditions are violations of the SNI rules. I think that recent Jetty upgrades may have introduced enforcement of these rules where it didn't exist previously.

      This change changes the Host header to be the host of the targetUrl within the UrlRewriteRequest. This should always be correct.

      It will also remove the recent update to the the AtlasHaDispatch to allow the Host header to be sent again in order to avoid issues with it missing.

        Attachments

          Activity

            People

            • Assignee:
              lmccay Larry McCay
              Reporter:
              lmccay Larry McCay
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: