Add unit test that verifies we not fail hostname verification if a ma…

…tching SNI name was used (netty#11803) Motivation: We didn't have a unit test that verifies that the SNI hostname is respected when hostname verification is performed Modifications: Add unit test Result: Ensure we not regress
laosijikaichele · Dec 16, 2021 · 8b28734 · 8b28734
1 parent 35835c8
commit 8b28734
Showing 1 changed file with 24 additions and 4 deletions.
diff --git a/handler/src/test/java/io/netty/handler/ssl/SSLEngineTest.java b/handler/src/test/java/io/netty/handler/ssl/SSLEngineTest.java
@@ -104,6 +104,7 @@
 import javax.net.ssl.KeyManagerFactorySpi;
 import javax.net.ssl.ManagerFactoryParameters;
 import javax.net.ssl.SNIHostName;
+import javax.net.ssl.SNIServerName;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLEngineResult;
@@ -2977,11 +2978,22 @@ private void testDisableProtocols(SSLEngineTestParam param,
     @MethodSource("newTestParams")
     @ParameterizedTest
     public void testUsingX509TrustManagerVerifiesHostname(SSLEngineTestParam param) throws Exception {
+        testUsingX509TrustManagerVerifiesHostname(param, false);
+    }
+
+    @MethodSource("newTestParams")
+    @ParameterizedTest
+    public void testUsingX509TrustManagerVerifiesSNIHostname(SSLEngineTestParam param) throws Exception {
+        testUsingX509TrustManagerVerifiesHostname(param, true);
+    }
+
+    private void testUsingX509TrustManagerVerifiesHostname(SSLEngineTestParam param, boolean useSNI) throws Exception {
         if (clientSslContextProvider() != null) {
             // Not supported when using conscrypt
             return;
         }
-        SelfSignedCertificate cert = new SelfSignedCertificate();
+        String fqdn = "something.netty.io";
+        SelfSignedCertificate cert = new SelfSignedCertificate(fqdn);
         clientSslCtx = wrapContext(param, SslContextBuilder
                 .forClient()
                 .trustManager(new TrustManagerFactory(new TrustManagerFactorySpi() {
@@ -3023,9 +3035,12 @@ protected void engineInit(ManagerFactoryParameters managerFactoryParameters) {
                 .sslProvider(sslClientProvider())
                 .build());
 
-        SSLEngine client = wrapEngine(clientSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT, "netty.io", 1234));
+        SSLEngine client = wrapEngine(clientSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT, "127.0.0.1", 1234));
         SSLParameters sslParameters = client.getSSLParameters();
         sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
+        if (useSNI) {
+            sslParameters.setServerNames(Collections.<SNIServerName>singletonList(new SNIHostName(fqdn)));
+        }
         client.setSSLParameters(sslParameters);
 
         serverSslCtx = wrapContext(param, SslContextBuilder
@@ -3037,8 +3052,13 @@ protected void engineInit(ManagerFactoryParameters managerFactoryParameters) {
         SSLEngine server = wrapEngine(serverSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT));
         try {
             handshake(param.type(), param.delegate(), client, server);
-            fail();
-        } catch (SSLException expected) {
+            if (!useSNI) {
+                fail();
+            }
+        } catch (SSLException exception) {
+            if (useSNI) {
+                throw exception;
+            }
             // expected as the hostname not matches.
         } finally {
             cleanupClientSslEngine(client);