Merge pull request #8572 from vespa-engine/bjorncs/jdisc-mixed-mode

Bjorncs/jdisc mixed mode
author: Bjørn Christian Seime <bjorn.christian@seime.no> 2019-02-25 10:11:08 +0100
committer: GitHub <noreply@github.com> 2019-02-25 10:11:08 +0100
commit: 6dd9327829f55c32bc75ac005cbe8495efae8ebb (patch)
tree: 03ec158960b337e97daa43ce3fb9411a5f3dfb95 /security-utils
parent: 1f5547e1401fda44fa491e93a31c1da15078db42 (diff)
parent: d9240123dc87003e688eb1e702d56b722eb647f7 (diff)
4 files changed, 42 insertions, 29 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java
index c9c326df9ed..e74ad49b2f5 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java
@@ -2,7 +2,7 @@
 package com.yahoo.security.tls;
 
 import com.yahoo.security.SslContextBuilder;
-import com.yahoo.security.tls.authz.PeerAuthorizerTrustManagersFactory;
+import com.yahoo.security.tls.authz.PeerAuthorizerTrustManager;
 import com.yahoo.security.tls.policy.AuthorizedPeers;
 
 import javax.net.ssl.SSLContext;
@@ -12,6 +12,7 @@ import java.security.PrivateKey;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
 import java.util.List;
+import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
@@ -133,7 +134,9 @@ public class DefaultTlsContext implements TlsContext {
             builder.withTrustStore(caCertificates);
         }
         if (authorizedPeers != null) {
-            builder.withTrustManagerFactory(new PeerAuthorizerTrustManagersFactory(authorizedPeers, mode));
+            builder.withTrustManagerFactory(truststore -> new PeerAuthorizerTrustManager(authorizedPeers, mode, truststore));
+        } else {
+            builder.withTrustManagerFactory(truststore -> new PeerAuthorizerTrustManager(new AuthorizedPeers(Set.of()), AuthorizationMode.DISABLE, truststore));
         }
         return builder.build();
     }
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/ReloadingTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/ReloadingTlsContext.java
index b57105f54f9..f1fc62de56a 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/ReloadingTlsContext.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/ReloadingTlsContext.java
@@ -7,6 +7,7 @@ import com.yahoo.security.KeyUtils;
 import com.yahoo.security.SslContextBuilder;
 import com.yahoo.security.X509CertificateUtils;
 import com.yahoo.security.tls.authz.PeerAuthorizerTrustManager;
+import com.yahoo.security.tls.policy.AuthorizedPeers;
 
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
@@ -20,6 +21,7 @@ import java.security.KeyStore;
 import java.security.cert.X509Certificate;
 import java.time.Duration;
 import java.util.List;
+import java.util.Set;
 import java.util.concurrent.Executors;
 import java.util.concurrent.ScheduledExecutorService;
 import java.util.concurrent.TimeUnit;
@@ -110,7 +112,7 @@ public class ReloadingTlsContext implements TlsContext {
                 .withTrustManagerFactory(
                         ignoredTruststore -> options.getAuthorizedPeers()
                                 .map(authorizedPeers -> (X509ExtendedTrustManager) new PeerAuthorizerTrustManager(authorizedPeers, mode, mutableTrustManager))
-                                .orElse(mutableTrustManager))
+                                .orElseGet(() -> new PeerAuthorizerTrustManager(new AuthorizedPeers(Set.of()), AuthorizationMode.DISABLE, mutableTrustManager)))
                 .build();
         return new DefaultTlsContext(sslContext, options.getAcceptedCiphers());
     }
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java b/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java
index eee2e502183..3ddd0861f39 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java
@@ -7,11 +7,14 @@ import com.yahoo.security.tls.TrustManagerUtils;
 import com.yahoo.security.tls.policy.AuthorizedPeers;
 
 import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLParameters;
+import javax.net.ssl.SSLSocket;
 import javax.net.ssl.X509ExtendedTrustManager;
 import java.net.Socket;
 import java.security.KeyStore;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
+import java.util.Objects;
 import java.util.Optional;
 import java.util.logging.Logger;
 
@@ -55,24 +58,28 @@ public class PeerAuthorizerTrustManager extends X509ExtendedTrustManager {
 
     @Override
     public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException {
+        overrideHostnameVerification(socket);
         defaultTrustManager.checkClientTrusted(chain, authType, socket);
         authorizePeer(chain[0], authType, true, null);
     }
 
     @Override
     public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException {
+        overrideHostnameVerification(socket);
         defaultTrustManager.checkServerTrusted(chain, authType, socket);
         authorizePeer(chain[0], authType, false, null);
     }
 
     @Override
     public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine sslEngine) throws CertificateException {
+        overrideHostnameVerification(sslEngine);
         defaultTrustManager.checkClientTrusted(chain, authType, sslEngine);
         authorizePeer(chain[0], authType, true, sslEngine);
     }
 
     @Override
     public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine sslEngine) throws CertificateException {
+        overrideHostnameVerification(sslEngine);
         defaultTrustManager.checkServerTrusted(chain, authType, sslEngine);
         authorizePeer(chain[0], authType, false, sslEngine);
     }
@@ -114,4 +121,31 @@ public class PeerAuthorizerTrustManager extends X509ExtendedTrustManager {
                              certificate.getSubjectX500Principal(), X509CertificateUtils.getSubjectAlternativeNames(certificate), authType, isVerifyingClient);
     }
 
+    private static void overrideHostnameVerification(SSLEngine engine) {
+        SSLParameters params = engine.getSSLParameters();
+        if (overrideHostnameVerification(params)) {
+            engine.setSSLParameters(params);
+        }
+    }
+
+    private static void overrideHostnameVerification(Socket socket) {
+        if (socket instanceof SSLSocket) {
+            SSLSocket sslSocket = (SSLSocket) socket;
+            SSLParameters params = sslSocket.getSSLParameters();
+            if (overrideHostnameVerification(params)) {
+                sslSocket.setSSLParameters(params);
+            }
+        }
+    }
+
+    // Disable the default hostname verification that is performed by underlying trust manager when 'HTTPS' is used as endpoint identification algorithm.
+    // Some http clients, notably the new http client in Java 11, does not allow user configuration of the endpoint algorithm or custom HostnameVerifier.
+    private static boolean overrideHostnameVerification(SSLParameters params) {
+        if (Objects.equals("HTTPS", params.getEndpointIdentificationAlgorithm())) {
+            params.setEndpointIdentificationAlgorithm("");
+            return true;
+        }
+        return false;
+    }
+
 }
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManagersFactory.java b/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManagersFactory.java
deleted file mode 100644
index 6ec8450c035..00000000000
--- a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManagersFactory.java
+++ /dev/null
@@ -1,26 +0,0 @@
-// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.security.tls.authz;
-
-import com.yahoo.security.SslContextBuilder;
-import com.yahoo.security.tls.AuthorizationMode;
-import com.yahoo.security.tls.policy.AuthorizedPeers;
-
-import java.security.KeyStore;
-
-/**
- * @author bjorncs
- */
-public class PeerAuthorizerTrustManagersFactory implements SslContextBuilder.TrustManagerFactory {
-    private final AuthorizedPeers authorizedPeers;
-    private AuthorizationMode mode;
-
-    public PeerAuthorizerTrustManagersFactory(AuthorizedPeers authorizedPeers, AuthorizationMode mode) {
-        this.authorizedPeers = authorizedPeers;
-        this.mode = mode;
-    }
-
-    @Override
-    public PeerAuthorizerTrustManager createTrustManager(KeyStore truststore) {
-        return new PeerAuthorizerTrustManager(authorizedPeers, mode, truststore);
-    }
-}
author	Bjørn Christian Seime <bjorn.christian@seime.no>	2019-02-25 10:11:08 +0100
committer	GitHub <noreply@github.com>	2019-02-25 10:11:08 +0100
commit	6dd9327829f55c32bc75ac005cbe8495efae8ebb (patch)
tree	03ec158960b337e97daa43ce3fb9411a5f3dfb95 /security-utils
parent	1f5547e1401fda44fa491e93a31c1da15078db42 (diff)
parent	d9240123dc87003e688eb1e702d56b722eb647f7 (diff)