Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes #6624 - Non-domain SNI on java17 #6634

Merged
merged 1 commit into from Aug 18, 2021
Merged

Fixes #6624 - Non-domain SNI on java17 #6634

merged 1 commit into from Aug 18, 2021
+37 −14

Conversation

sbordet
Copy link
Contributor

@sbordet sbordet commented Aug 17, 2021

Java 17 only allows letter|digit|hyphen characters for SNI names.

While we could bypass this restriction on the client, when the SNI bytes arrive to the server they will be verified and if not allowed the TLS handshake will fail.

Signed-off-by: Simone Bordet simone.bordet@gmail.com

@sbordet
Fixes #6624 - Non-domain SNI on java17
38d019f 
Java 17 only allows letter|digit|hyphen characters for SNI names.

While we could bypass this restriction on the client, when the SNI bytes arrive to the server they will be verified and if not allowed the TLS handshake will fail.

Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
@sbordet sbordet requested review from gregw and olamy August 17, 2021 16:37
@sbordet sbordet linked an issue Aug 17, 2021 that may be closed by this pull request
org.eclipse.jetty.client.HttpClientTLSTest#testForcedNonDomainSNI fails on java17 #6624
Closed
gregw
gregw requested changes Aug 17, 2021
View reviewed changes
jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
// Must use the byte[] constructor, because the character ':' is forbidden when
// using the String constructor (but typically present in IPv6 addresses).
// Since Java 17, only letter|digit|hyphen characters are allowed, even by the byte[] constructor.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is still not a proper fix. If : is never allowed, then why are we using the byte[] version? Shouldn't we just revert to the string version and remove this comment?

jetty-client/src/test/java/org/eclipse/jetty/client/HttpClientTLSTest.java
/* TODO Fix. See #6624
if (Net.isIpv6InterfaceAvailable())
@Test
@EnabledForJreRange(max = JRE.JAVA_16, disabledReason = "Since Java 17, SNI host names can only have letter|digit|hyphen characters.")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This does not feel right. We are relying on implementation knowledge that an arg check is left out of one version of a method in java < 17. There is no reason that this arg check might not be added to a dot release of java 8-16.

@sbordet sbordet merged commit 693663a into jetty-9.4.x Aug 18, 2021
@sbordet sbordet deleted the jetty-9.4.x-6624-non-domain-sni-java17 branch August 18, 2021 15:07
@sbordet sbordet mentioned this pull request Aug 18, 2021
Merged
@sbordet sbordet added this to In progress in Jetty 9.4.44 FROZEN via automation Aug 25, 2021
@sbordet sbordet moved this from In progress to Done in Jetty 9.4.44 FROZEN Aug 25, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gregw gregw gregw approved these changes

@olamy olamy Awaiting requested review from olamy

Assignees
No one assigned
Labels
None yet
Projects
No open projects
Jetty 9.4.44 FROZEN
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

org.eclipse.jetty.client.HttpClientTLSTest#testForcedNonDomainSNI fails on java17
2 participants
@sbordet @gregw