New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
org.eclipse.jetty.client.HttpClientTLSTest#testForcedNonDomainSNI fails on java17 #6624
Comments
It is failing on an IPv6 hostname: host='0:0:0:0:0:0:0:1' |
Issue is due to a "work around" of JVM host name validation: private static List<SNIServerName> getSniServerNames(SSLEngine sslEngine, List<SNIServerName> serverNames)
{
if (serverNames.isEmpty())
{
String host = sslEngine.getPeerHost();
if (host != null)
{
// Must use the byte[] constructor, because the character ':' is forbidden when
// using the String constructor (but typically present in IPv6 addresses).
return Collections.singletonList(new SNIHostName(host.getBytes(StandardCharsets.US_ASCII)));
}
}
return serverNames;
} |
Temp disable of test that is breaking the build.
Temp disable of test that is breaking the build.
IPv6 part of the test commented out for now and marked with a TODO |
Java 17 only allows letter|digit|hyphen characters for SNI names. While we could bypass this restriction on the client, when the SNI bytes arrive to the server they will be verified and if not allowed the TLS handshake will fail. Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
@gregw I put up another PR with a proper fix. Unfortunately, Java 17 perform stricter checks on the SNI names. We could bypass this on the client with a custom |
Why are we attempting to support IP literals in SNI? It is not allowed per the specs.
|
Because it was a sponsored change. |
Java 17 only allows letter|digit|hyphen characters for SNI names. While we could bypass this restriction on the client, when the SNI bytes arrive to the server they will be verified and if not allowed the TLS handshake will fail. Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
Java 17 only allows letter|digit|hyphen characters for SNI names. While we could bypass this restriction on the client, when the SNI bytes arrive to the server they will be verified and if not allowed the TLS handshake will fail. Signed-off-by: Simone Bordet <simone.bordet@gmail.com> (cherry picked from commit 693663a)
Jetty version(s)
9, 10, 11
Java version/vendor
(use: java -version)
also
OS type/version
linux
Description
Test org.eclipse.jetty.client.HttpClientTLSTest#testForcedNonDomainSNI fails on java17:
The text was updated successfully, but these errors were encountered: