Override default hostname verification in PeerAuthorizerTrustManager

Ensure that the default hostname verification is not applied for the Vespa TLS certificates. Use the custom trust manager even when no authorized peers rules are present.
author: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2019-02-15 12:58:04 +0100
committer: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2019-02-22 14:43:09 +0100
commit: 6b52a0fd46d7cad248fa87cc67d6e0ffd1ca88cc (patch)
tree: dc176d5353dc9d80148ac43d89303a15479b6640 /security-utils
parent: f444dd86cfae0736353271463350fd6bc517e4ba (diff)
4 files changed, 42 insertions, 29 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java
index c9c326df9ed..e74ad49b2f5 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java
@@ -2,7 +2,7 @@
 package com.yahoo.security.tls;
 
 import com.yahoo.security.SslContextBuilder;
-import com.yahoo.security.tls.authz.PeerAuthorizerTrustManagersFactory;
+import com.yahoo.security.tls.authz.PeerAuthorizerTrustManager;
 import com.yahoo.security.tls.policy.AuthorizedPeers;
 
 import javax.net.ssl.SSLContext;
@@ -12,6 +12,7 @@ import java.security.PrivateKey;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
 import java.util.List;
+import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
@@ -133,7 +134,9 @@ public class DefaultTlsContext implements TlsContext {
             builder.withTrustStore(caCertificates);
         }
         if (authorizedPeers != null) {
-            builder.withTrustManagerFactory(new PeerAuthorizerTrustManagersFactory(authorizedPeers, mode));
+            builder.withTrustManagerFactory(truststore -> new PeerAuthorizerTrustManager(authorizedPeers, mode, truststore));
+        } else {
+            builder.withTrustManagerFactory(truststore -> new PeerAuthorizerTrustManager(new AuthorizedPeers(Set.of()), AuthorizationMode.DISABLE, truststore));
         }
         return builder.build();
     }
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/ReloadingTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/ReloadingTlsContext.java
index b57105f54f9..f1fc62de56a 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/ReloadingTlsContext.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/ReloadingTlsContext.java
@@ -7,6 +7,7 @@ import com.yahoo.security.KeyUtils;
 import com.yahoo.security.SslContextBuilder;
 import com.yahoo.security.X509CertificateUtils;
 import com.yahoo.security.tls.authz.PeerAuthorizerTrustManager;
+import com.yahoo.security.tls.policy.AuthorizedPeers;
 
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
@@ -20,6 +21,7 @@ import java.security.KeyStore;
 import java.security.cert.X509Certificate;
 import java.time.Duration;
 import java.util.List;
+import java.util.Set;
 import java.util.concurrent.Executors;
 import java.util.concurrent.ScheduledExecutorService;
 import java.util.concurrent.TimeUnit;
@@ -110,7 +112,7 @@ public class ReloadingTlsContext implements TlsContext {
                 .withTrustManagerFactory(
                         ignoredTruststore -> options.getAuthorizedPeers()
                                 .map(authorizedPeers -> (X509ExtendedTrustManager) new PeerAuthorizerTrustManager(authorizedPeers, mode, mutableTrustManager))
-                                .orElse(mutableTrustManager))
+                                .orElseGet(() -> new PeerAuthorizerTrustManager(new AuthorizedPeers(Set.of()), AuthorizationMode.DISABLE, mutableTrustManager)))
                 .build();
         return new DefaultTlsContext(sslContext, options.getAcceptedCiphers());
     }
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java b/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java
index eee2e502183..3ddd0861f39 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java
@@ -7,11 +7,14 @@ import com.yahoo.security.tls.TrustManagerUtils;
 import com.yahoo.security.tls.policy.AuthorizedPeers;
 
 import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLParameters;
+import javax.net.ssl.SSLSocket;
 import javax.net.ssl.X509ExtendedTrustManager;
 import java.net.Socket;
 import java.security.KeyStore;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
+import java.util.Objects;
 import java.util.Optional;
 import java.util.logging.Logger;
 
@@ -55,24 +58,28 @@ public class PeerAuthorizerTrustManager extends X509ExtendedTrustManager {
 
     @Override
     public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException {
+        overrideHostnameVerification(socket);
         defaultTrustManager.checkClientTrusted(chain, authType, socket);
         authorizePeer(chain[0], authType, true, null);
     }
 
     @Override
     public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException {
+        overrideHostnameVerification(socket);
         defaultTrustManager.checkServerTrusted(chain, authType, socket);
         authorizePeer(chain[0], authType, false, null);
     }
 
     @Override
     public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine sslEngine) throws CertificateException {
+        overrideHostnameVerification(sslEngine);
         defaultTrustManager.checkClientTrusted(chain, authType, sslEngine);
         authorizePeer(chain[0], authType, true, sslEngine);
     }
 
     @Override
     public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine sslEngine) throws CertificateException {
+        overrideHostnameVerification(sslEngine);
         defaultTrustManager.checkServerTrusted(chain, authType, sslEngine);
         authorizePeer(chain[0], authType, false, sslEngine);
     }
@@ -114,4 +121,31 @@ public class PeerAuthorizerTrustManager extends X509ExtendedTrustManager {
                              certificate.getSubjectX500Principal(), X509CertificateUtils.getSubjectAlternativeNames(certificate), authType, isVerifyingClient);
     }
 
+    private static void overrideHostnameVerification(SSLEngine engine) {
+        SSLParameters params = engine.getSSLParameters();
+        if (overrideHostnameVerification(params)) {
+            engine.setSSLParameters(params);
+        }
+    }
+
+    private static void overrideHostnameVerification(Socket socket) {
+        if (socket instanceof SSLSocket) {
+            SSLSocket sslSocket = (SSLSocket) socket;
+            SSLParameters params = sslSocket.getSSLParameters();
+            if (overrideHostnameVerification(params)) {
+                sslSocket.setSSLParameters(params);
+            }
+        }
+    }
+
+    // Disable the default hostname verification that is performed by underlying trust manager when 'HTTPS' is used as endpoint identification algorithm.
+    // Some http clients, notably the new http client in Java 11, does not allow user configuration of the endpoint algorithm or custom HostnameVerifier.
+    private static boolean overrideHostnameVerification(SSLParameters params) {
+        if (Objects.equals("HTTPS", params.getEndpointIdentificationAlgorithm())) {
+            params.setEndpointIdentificationAlgorithm("");
+            return true;
+        }
+        return false;
+    }
+
 }
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManagersFactory.java b/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManagersFactory.java
deleted file mode 100644
index 6ec8450c035..00000000000
--- a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManagersFactory.java
+++ /dev/null
@@ -1,26 +0,0 @@
-// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.security.tls.authz;
-
-import com.yahoo.security.SslContextBuilder;
-import com.yahoo.security.tls.AuthorizationMode;
-import com.yahoo.security.tls.policy.AuthorizedPeers;
-
-import java.security.KeyStore;
-
-/**
- * @author bjorncs
- */
-public class PeerAuthorizerTrustManagersFactory implements SslContextBuilder.TrustManagerFactory {
-    private final AuthorizedPeers authorizedPeers;
-    private AuthorizationMode mode;
-
-    public PeerAuthorizerTrustManagersFactory(AuthorizedPeers authorizedPeers, AuthorizationMode mode) {
-        this.authorizedPeers = authorizedPeers;
-        this.mode = mode;
-    }
-
-    @Override
-    public PeerAuthorizerTrustManager createTrustManager(KeyStore truststore) {
-        return new PeerAuthorizerTrustManager(authorizedPeers, mode, truststore);
-    }
-}
author	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2019-02-15 12:58:04 +0100
committer	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2019-02-22 14:43:09 +0100
commit	6b52a0fd46d7cad248fa87cc67d6e0ffd1ca88cc (patch)
tree	dc176d5353dc9d80148ac43d89303a15479b6640 /security-utils
parent	f444dd86cfae0736353271463350fd6bc517e4ba (diff)