diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-02-15 12:58:04 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-02-22 14:43:09 +0100 |
commit | 6b52a0fd46d7cad248fa87cc67d6e0ffd1ca88cc (patch) | |
tree | dc176d5353dc9d80148ac43d89303a15479b6640 /security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java | |
parent | f444dd86cfae0736353271463350fd6bc517e4ba (diff) |
Override default hostname verification in PeerAuthorizerTrustManager
Ensure that the default hostname verification is not applied for the Vespa TLS certificates.
Use the custom trust manager even when no authorized peers rules are present.
Diffstat (limited to 'security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java')
-rw-r--r-- | security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java b/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java index eee2e502183..3ddd0861f39 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java @@ -7,11 +7,14 @@ import com.yahoo.security.tls.TrustManagerUtils; import com.yahoo.security.tls.policy.AuthorizedPeers; import javax.net.ssl.SSLEngine; +import javax.net.ssl.SSLParameters; +import javax.net.ssl.SSLSocket; import javax.net.ssl.X509ExtendedTrustManager; import java.net.Socket; import java.security.KeyStore; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; +import java.util.Objects; import java.util.Optional; import java.util.logging.Logger; @@ -55,24 +58,28 @@ public class PeerAuthorizerTrustManager extends X509ExtendedTrustManager { @Override public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException { + overrideHostnameVerification(socket); defaultTrustManager.checkClientTrusted(chain, authType, socket); authorizePeer(chain[0], authType, true, null); } @Override public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException { + overrideHostnameVerification(socket); defaultTrustManager.checkServerTrusted(chain, authType, socket); authorizePeer(chain[0], authType, false, null); } @Override public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine sslEngine) throws CertificateException { + overrideHostnameVerification(sslEngine); defaultTrustManager.checkClientTrusted(chain, authType, sslEngine); authorizePeer(chain[0], authType, true, sslEngine); } @Override public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine sslEngine) throws CertificateException { + overrideHostnameVerification(sslEngine); defaultTrustManager.checkServerTrusted(chain, authType, sslEngine); authorizePeer(chain[0], authType, false, sslEngine); } @@ -114,4 +121,31 @@ public class PeerAuthorizerTrustManager extends X509ExtendedTrustManager { certificate.getSubjectX500Principal(), X509CertificateUtils.getSubjectAlternativeNames(certificate), authType, isVerifyingClient); } + private static void overrideHostnameVerification(SSLEngine engine) { + SSLParameters params = engine.getSSLParameters(); + if (overrideHostnameVerification(params)) { + engine.setSSLParameters(params); + } + } + + private static void overrideHostnameVerification(Socket socket) { + if (socket instanceof SSLSocket) { + SSLSocket sslSocket = (SSLSocket) socket; + SSLParameters params = sslSocket.getSSLParameters(); + if (overrideHostnameVerification(params)) { + sslSocket.setSSLParameters(params); + } + } + } + + // Disable the default hostname verification that is performed by underlying trust manager when 'HTTPS' is used as endpoint identification algorithm. + // Some http clients, notably the new http client in Java 11, does not allow user configuration of the endpoint algorithm or custom HostnameVerifier. + private static boolean overrideHostnameVerification(SSLParameters params) { + if (Objects.equals("HTTPS", params.getEndpointIdentificationAlgorithm())) { + params.setEndpointIdentificationAlgorithm(""); + return true; + } + return false; + } + } |