Fixes #4778 - Enforcing SNI when there are only non-wildcards certificates.

If SNI is required, wrap the KeyManagers with SniX509ExtendedKeyManager. Updated the main keystore file to only have one certificate (instead of two), since there never was the need for two certificates in the tests. Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
2020-04-18 18:15:03 +02:00 · 2020-04-18 18:15:03 +02:00 · 426c80bf6d
parent 15f7e0671b
commit 426c80bf6d
3 changed files with 25 additions and 3 deletions
--- a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SniSslConnectionFactoryTest.java
+++ b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SniSslConnectionFactoryTest.java
@ -301,6 +301,29 @@ public class SniSslConnectionFactoryTest
        assertThat(response.getStatus(), is(400));
    }

+    @Test
+    public void testWrongSNIRejectedConnectionWithNonSNIKeystore() throws Exception
+    {
+        start(ssl ->
+        {
+            // Keystore has only one certificate, but we want to enforce SNI.
+            ssl.setKeyStorePath("src/test/resources/keystore");
+            ssl.setSniRequired(true);
+        });
+
+        // Wrong SNI host.
+        assertThrows(SSLHandshakeException.class, () -> getResponse("wrong.com", "wrong.com", null));
+
+        // No SNI host.
+        assertThrows(SSLHandshakeException.class, () -> getResponse(null, "wrong.com", null));
+
+        // Good SNI host.
+        HttpTester.Response response = HttpTester.parseResponse(getResponse("jetty.eclipse.org", "jetty.eclipse.org", null));
+
+        assertNotNull(response);
+        assertThat(response.getStatus(), is(200));
+    }
+
    @Test
    public void testSameConnectionRequestsForManyDomains() throws Exception
    {
--- a/jetty-server/src/test/resources/keystore
+++ b/jetty-server/src/test/resources/keystore
--- a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
+++ b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
@ -1247,14 +1247,13 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
                }

                // Is SNI needed to select a certificate?
-                if (!_certWilds.isEmpty() || _certHosts.size() > 1 || (_certHosts.size() == 1 && _aliasX509.size() > 1))
+                boolean sniRequired = (this instanceof Server) && ((Server)this).isSniRequired();
+                if (sniRequired || !_certWilds.isEmpty() || _certHosts.size() > 1 || (_certHosts.size() == 1 && _aliasX509.size() > 1))
                {
                    for (int idx = 0; idx < managers.length; idx++)
                    {
                        if (managers[idx] instanceof X509ExtendedKeyManager)
-                        {
                            managers[idx] = newSniX509ExtendedKeyManager((X509ExtendedKeyManager)managers[idx]);
-                        }
                    }
                }
            }