Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-1564

Proxied SSL Connections use wrong peer address

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 2.0.23.Final
    • 2.0.21.Final
    • SSL
    • None

      When creating a client SSL Connection via a HTTP proxy, the destination address indicated in the SSL connection is the address of the proxy. This is wrong and leads to a CertificateException:

        java.security.cert.CertificateException: No subject alternative names matching IP address 127.0.0.1 found
  	at java.base/sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:160)
  	at java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:96)
  	at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:459)
  	at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:434)
  	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:291)
  	at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141)
  	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:620)
  	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:461)
  	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:361)
  	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
  	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:448)
  	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1065)
  	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1052)
  	at java.base/java.security.AccessController.doPrivileged(Native Method)
  	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:999)
  	at io.undertow.protocols.ssl.SslConduit$5.run(SslConduit.java:1111)
  	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
  	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
  	at java.base/java.lang.Thread.run(Thread.java:834)}

      (in this case the proxy was running on 127.0.0.1).

              flaviarnn Flavia Rainone
              criege@riege.com Christian Riege (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: