[MINIFI-552] Fix new SSL SAN Behaviour from new Jetty Version in C2 Server - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 0.6.0
Fix Version/s: 1.14.0
Component/s: None
Labels:
None

Description

Jetty tries to resolve the SAN Name for Clients connecting, but the behaviour of the constructor changed as seen here: https://github.com/eclipse/jetty.project/pull/3480

Linked: https://github.com/eclipse/jetty.project/issues/3466

Linked: https://github.com/eclipse/jetty.project/issues/3454

Linked: apache/nifi-minifi#169

This leads to Minifis can't connect to C2 even with correct Certs and this error:

2021-04-07 08:26:31,038 DEBUG [qtp1095293768-18] org.eclipse.jetty.io.AbstractEndPoint close(javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP address 10.172.220.28 found) DecryptedEndPoint@3663382d{l=0.0.0.0/0.0.0.0:10081,r=null,CLOSED,fill=-,flush=-,to=13/30000}
2021-04-07 08:26:31,038 DEBUG [qtp1095293768-18] org.eclipse.jetty.server.HttpConnection
javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP address 10.172.220.28 found
        at sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:324)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:262)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkClientCerts(CertificateMessage.java:700)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:411)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:375)
        at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
        at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:968)
        at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:955)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:902)
        at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:639)
        at org.eclipse.jetty.server.HttpConnection.fillRequestBuffer(HttpConnection.java:342)
        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)
        at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
        at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:540)
        at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:395)
        at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161)
        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
        at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
        at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:383)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:882)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1036)
        at java.lang.Thread.run(Thread.java:748)
Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 10.172.220.28 found
        at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:179)
        at sun.security.util.HostnameChecker.match(HostnameChecker.java:100)
        at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:457)
        at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:431)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:285)
        at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:135)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkClientCerts(CertificateMessage.java:682)
        ... 26 common frames omitted

Proposed Fix for Minifi-C2 https://github.com/mattyb149/nifi/pull/17

Attachments

Issue Links

links to

GitHub Pull Request #5036

Activity

People

Assignee:: Unassigned

Reporter:: Rene Weidlinger

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 08/Apr/21 06:10

Updated:: 28/Apr/21 16:05

Resolved:: 28/Apr/21 16:05

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

0.5h