Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-4302

SNI wildcard mappings match multiple level of subdomain

    XMLWordPrintable

Details

    • Hide
      1. get and unzip WildFly
      2. go to WildFly home and prepare keystores: 
        keytool -genkeypair -alias default-cert -keyalg RSA -keysize 1024 -validity 365 -keystore standalone/configuration/default.keystore.jks -dname "CN=default" -keypass secret -storepass secret
keytool -genkeypair -alias asterisk-cert -keyalg RSA -keysize 1024 -validity 365 -keystore standalone/configuration/asterisk.keystore.jks -dname "CN=asterisk" -keypass secret -storepass secret
      3. start server, connect to CLI and configure SNI mappings: 
        /subsystem=elytron/key-store=defaultKS:add(path=default.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
/subsystem=elytron/key-store=asteriskKS:add(path=asterisk.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
/subsystem=elytron/key-manager=defaultKM:add(key-store=defaultKS,algorithm="SunX509",credential-reference={clear-text=secret})
/subsystem=elytron/key-manager=asteriskKM:add(key-store=asteriskKS,algorithm="SunX509",credential-reference={clear-text=secret})
/subsystem=elytron/server-ssl-context=defaultSSC:add(key-manager=defaultKM,protocols=["TLSv1.2"])
/subsystem=elytron/server-ssl-context=asteriskSSC:add(key-manager=asteriskKM,protocols=["TLSv1.2"])
/subsystem=elytron/server-ssl-sni-context=sniSSC:add(default-ssl-context=defaultSSC, host-context-map={".*\\.example\\.com"=asteriskSSC})
batch
/subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=sniSSC)
run-batch
reload
      4. check how SNI works e.g. via OpenSSL s_client tool: 
        openssl s_client -showcerts -connect localhost:8443 -servername first-sublevel.example.com
openssl s_client -showcerts -connect localhost:8443 -servername second-sublevel.first-sublevel.example.com
      Show
      get and unzip WildFly go to WildFly home and prepare keystores: keytool -genkeypair -alias default -cert -keyalg RSA -keysize 1024 -validity 365 -keystore standalone/configuration/ default .keystore.jks -dname "CN= default " -keypass secret -storepass secret keytool -genkeypair -alias asterisk-cert -keyalg RSA -keysize 1024 -validity 365 -keystore standalone/configuration/asterisk.keystore.jks -dname "CN=asterisk" -keypass secret -storepass secret start server, connect to CLI and configure SNI mappings: /subsystem=elytron/key-store=defaultKS:add(path= default .keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-store=asteriskKS:add(path=asterisk.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-manager=defaultKM:add(key-store=defaultKS,algorithm= "SunX509" ,credential-reference={clear-text=secret}) /subsystem=elytron/key-manager=asteriskKM:add(key-store=asteriskKS,algorithm= "SunX509" ,credential-reference={clear-text=secret}) /subsystem=elytron/server-ssl-context=defaultSSC:add(key-manager=defaultKM,protocols=[ "TLSv1.2" ]) /subsystem=elytron/server-ssl-context=asteriskSSC:add(key-manager=asteriskKM,protocols=[ "TLSv1.2" ]) /subsystem=elytron/server-ssl-sni-context=sniSSC:add( default -ssl-context=defaultSSC, host-context-map={ ".*\\.example\\.com" =asteriskSSC}) batch /subsystem=undertow/server= default -server/https-listener=https:undefine-attribute(name=security-realm) /subsystem=undertow/server= default -server/https-listener=https:write-attribute(name=ssl-context,value=sniSSC) run-batch reload check how SNI works e.g. via OpenSSL s_client tool: openssl s_client -showcerts -connect localhost:8443 -servername first-sublevel.example.com openssl s_client -showcerts -connect localhost:8443 -servername second-sublevel.first-sublevel.example.com

    Description

      Based on the text from analasys:

      Wildcard names use * as a wildcard, and can only be used to match a single level of subdomain in much the same way as with wildcard certificates.

      As such, in case I have configured SNI mapping for:

      .*\\.example\\.com

      I expect that this mapping is selected for any single level of subdomain of example.com although, in case of any extra subdomain, this mapping is not utilized. In other words, following hostnames should match:

      test.example.com
another-test.example.com

      although following should not be matched and default server-ssl-context shall be used instead:

      two-sublevel.one-sublevel.example.com

      Current behaviour also matches also 'two-sublevel.one-sublevel.example.com'.

      Attachments

        Issue Links

          is related to

          Enhancement - An enhancement to or refactoring of existing functionality that is not configurable by an end user (typically a change made by an internal team that affects users) WFCORE-4309 Value validator for 'host-context-map' attribute of 'server-ssl-sni-context' resource

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Resolved

          Activity

            People

              dvilkola@redhat.com Diana Krepinska
              pjelinek@redhat.com Pavel Jelinek
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: