Details
-
Improvement
-
Resolution: Fixed
-
Major
-
None
-
None
-
None
-
1
Description
After a journey of badly documented code in the JDK I got down to the gist of why right now we are not validating invalid SAN hostnames/IPs.
With default settings it does not perform the validation. The way to enable it is in our SSLEngineFactory with:
SSLParameters params = new SSLParameters();
|
params.setEndpointIdentificationAlgorithm("HTTPS");
|
engine.setSSLParameters(params);
|
To make this work the factory itself needs to be modified away from the createSSLEngine() to exposing the peer host and port for matching:
SSLEngine engine = ctx.createSSLEngine(peerHost, peerPort);
|
Once this is implemented you get to see an exception on bootstrap like this:
Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 10.142.175.101 found
|
at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:167)
|
at sun.security.util.HostnameChecker.match(HostnameChecker.java:93)
|
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
|
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
|
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252)
|
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
|
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
|
... 28 more
|
This requires changing the signature of the factory but thats not a big deal. The bigger problem is that "setEndpointIdentificationAlgorithm" is ONLY available from 1.7 forward so we can't use it right now.
I think libraries like OkHttp (https://github.com/square/okhttp/issues/2672) run their own hostname verifiers (https://github.com/square/okhttp/pull/162/commits/870ae218c705eedc90a1e6e5e8b3ec83c67a6320) to work around that problem (i.e. older android versions) and we might need to do the same. Also we need to figure out what the implication on backwards compatibility is. Maybe consider it for SDK 3.0 (where we bump to java 8?)
Attachments
Issue Links
- has to be done after
-
JVMCBC-586 Add support for TLS
- Resolved
- is duplicated by
-
JVMCBC-516 Add support for hostname validation for SSL connections
- Resolved
For Gerrit Dashboard: JVMCBC-533 | ||||||
---|---|---|---|---|---|---|
# | Subject | Branch | Project | Status | CR | V |
114725,1 | JVMCBC-533: Perform SAN validation on SSL Handshake | master | couchbase-jvm-clients | Status: ABANDONED | +2 | +1 |
114793,2 | JVMCBC-533: Perform SAN validation on SSL Handshake | master | couchbase-jvm-clients | Status: MERGED | +2 | +1 |