Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 2.0.21.Final
Affects Version/s: 2.0.20.Final
Component/s: Core
Labels:
None

Steps to Reproduce:

Hide

Set up HTTP Proxy, let the WebSockets client use it. Connect via this proxy by means of TLS to a reverse proxy that handles multiple domain names. Watch the reverse proxy pick a wrong certificate.

We have a “working” setup that fails: HA Proxy by default picks the “first” configured certificate.

WebSockets client happily accepts this certificate (even if it does not match the requested domain, this is a different issue though in my opinion). However it is not the correct certificate.

Show
Set up HTTP Proxy, let the WebSockets client use it. Connect via this proxy by means of TLS to a reverse proxy that handles multiple domain names. Watch the reverse proxy pick a wrong certificate. We have a “working” setup that fails: HA Proxy by default picks the “first” configured certificate. WebSockets client happily accepts this certificate (even if it does not match the requested domain, this is a different issue though in my opinion). However it is not the correct certificate.
Git Pull Request:
https://github.com/undertow-io/undertow/pull/754

When connecting with the WebSockets client via an HTTP Proxy server to a WebSockets server via SSL (TLS), the client does not include the SNI extension server_name indication.

If the server that the client is connecting to is located behind a reverse proxy and the reverse proxy handles multiple servers via SNI, a wrong certificate may be selected (because the reverse proxy has no indication as to the specific target domain name).

Picture:

Client -> HTTP Proxy -> Reverse Proxy -> WebSockets server

Assignee:: Flavia Rainone

Reporter:: Christian Riege (Inactive)

Votes:: 1 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2019/04/29 12:16 PM

Updated:: 2021/10/24 5:51 AM

Resolved:: 2019/05/13 3:17 AM

Details

Description

Attachments

Activity

People

Dates