Uploaded image for project: 'Java Couchbase JVM Core'
  1. Java Couchbase JVM Core
  2. JVMCBC-533

Perform SAN validation on SSL Handshake

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Fixed
    • Major
    • 2.0.0-beta.1
    • None
    • None
    • None
    • 1

    Description

      After a journey of badly documented code in the JDK I got down to the gist of why right now we are not validating invalid SAN hostnames/IPs.

      With default settings it does not perform the validation. The way to enable it is in our SSLEngineFactory with:

      SSLParameters params = new SSLParameters();
      		 
      params.setEndpointIdentificationAlgorithm("HTTPS");
      		 
      engine.setSSLParameters(params);

      To make this work the factory itself needs to be modified away from the createSSLEngine() to exposing the peer host and port for matching:

      SSLEngine engine = ctx.createSSLEngine(peerHost, peerPort);

      Once this is implemented you get to see an exception on bootstrap like this:

      Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 10.142.175.101 found
      		 
      	at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:167)
      		 
      	at sun.security.util.HostnameChecker.match(HostnameChecker.java:93)
      		 
      	at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
      		 
      	at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
      		 
      	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252)
      		 
      	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
      		 
      	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
      		 
      	... 28 more

      This requires changing the signature of the factory but thats not a big deal. The bigger problem is that "setEndpointIdentificationAlgorithm" is ONLY available from 1.7 forward so we can't use it right now.

      I think libraries like OkHttp (https://github.com/square/okhttp/issues/2672) run their own hostname verifiers (https://github.com/square/okhttp/pull/162/commits/870ae218c705eedc90a1e6e5e8b3ec83c67a6320) to work around that problem (i.e. older android versions) and we might need to do the same. Also we need to figure out what the implication on backwards compatibility is. Maybe consider it for SDK 3.0 (where we bump to java 8?)

      Attachments

        Issue Links

          has to be done after

          Task - A task that needs to be done. JVMCBC-586 Add support for TLS

          • Major - Major loss of function.
          • Resolved
          is duplicated by

          Improvement - An improvement or enhancement to an existing feature or task. JVMCBC-516 Add support for hostname validation for SSL connections

          • Major - Major loss of function.
          • Resolved
          For Gerrit Dashboard: JVMCBC-533
          # Subject Branch Project Status CR V
          114725,1 JVMCBC-533: Perform SAN validation on SSL Handshake master couchbase-jvm-clients Status: ABANDONED +2 +1
          114793,2 JVMCBC-533: Perform SAN validation on SSL Handshake master couchbase-jvm-clients Status: MERGED +2 +1

          Activity

            People

              daschl Michael Nitschinger
              daschl Michael Nitschinger
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes

                  PagerDuty