tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Robbins <peter.robb...@jamfsoftware.com>
Subject Re: Trailing dot in hostname causes TLS handshake to fail
Date Thu, 13 Nov 2014 20:40:43 GMT
Chris,

With SSLv3 enabled it succeeds. That makes sense since SNI is only TLS.


I don't have a stack trace, since the exception is handled and handshake 
aborted, but here's the debug output: http://pastebin.com/ShqZQVC7.

Digging a little more into this I think this might be a Java issue. From 
what I can tell Tomcat is just calling getSession() on the SSLEngine that 
jsse sends back to it and Java is the one that's not honoring the 
jsse.enableSNIextension flag. Changing to a Java 7 runtime fixes the issue 
(since jsse doesn't have server-side SNI support in JRE7), so that being 
the differentiator, I'll try my luck filing a bug with Oracle. >_<

I might play around and see if an APR setup demonstrates the same behavior.

Thanks,
Peter


On 11/13/14, 8:12 PM, "Christopher Schultz" <chris@christopherschultz.net> 
wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA256
>
>Peter,
>
>On 11/11/14 4:03 PM, Peter Robbins wrote:
>> Hi there, I’m running into an issue with fully-qualified domain
>> names and https using Tomcat 8 and JDK 8. Tomcat version: 8.0.14 
>> JDK Version: 1.8.0_25OS: Mac OS X 10.10
>> 
>> If you include the trailing dot in a request over https, the TLS
>> handshake will fail. It appears that it tries to fall back to
>> SSLv3, but if you have SSLv3 disabled, the whole thing just fails.
>
>If you have SSLv3 enabled, does it succeed?
>
>> My SSL Connector looks like this: <Connector SSLEnabled="true"
>> URIEncoding="UTF-8" acceptCount="100" clientAuth="false" debug="1"
>> disableUploadTimeout="true" enableLookups="false"
>> keystoreFile="../keystore.jks" keystorePass="password"
>> maxHttpHeaderSize="8192" keyAlias="selfsigned" port="8443"
>> protocol="org.apache.coyote.http11.Http11Protocol" scheme="https"
>> secure="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2">
>> 
>> 
>> https://localhost.:8443 in Chrome 38 returns 
>> ERR_SSL_VERSION_OR_CIPHER_MISMATCH.
>> 
>> The output from javax.net.debug=all contains this: 
>> http-bio-8443-exec-5, handling exception: 
>> javax.net.ssl.SSLProtocolException: Illegal server name, 
>> type=host_name(0), name=localhost.,
>> value=6c:6f:63:61:6c:68:6f:73:74:2e
>
>Can we get a full stack trace please?
>
>> This looks like it’s being bubbled up from the SNIHostName
>> constructor in Java 8 
>> 
>>(https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SNIHostName.html
>>),
>>
>> 
>which explicitly forbids trailing dots in hostnames (valid hostname, but
>> not a valid SNI hostname). I’m not using SNI, but to make sure I
>> set jsse.enableSNIExtension=false. The exception is still thrown,
>> leading me to believe that the SNIHostName constructor is being
>> called whether SNI is enabled or not.
>> 
>> 
>> Why not just remove the trailing dot? Well, it’s valid to be there,
>> so why not support it. More importantly, we make use of this to get
>> around TLS session caching as discussed here: 
>> https://developer.apple.com/library/ios/qa/qa1727/_index.html.
>> 
>> 
>> This issue is not present in Tomcat 7 or using Java 7. I have a
>> small PoC I can zip up and host somewhere if anyone wants to take a
>> look.
>> 
>> Does anyone know if this looks like a bug in Tomcat 8 or Java 8 and
>> where I should submit a bug report if it does?
>
>This is unlikely to be a bug in Tomcat but it doesn't mean that Tomcat
>can't mitigate it if there is a strong enough use case.
>
>One could argue that Apache httpd supports the inclusion of trailing
>dots (cf. https://www.apache.org./) so Tomcat should, but httpd
>supports connecting to an SSL-enabled port without providing an SSL
>handshake, in which case httpd replies in plain-text the likely
>problem, and Tomcat/JSEE just kills the connection, and nobody has
>been motivated to "fix" that lack of feature-parity, so there's no
>guarantee that anyone will spend a great deal of time on this.
>
>- -chris
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1
>Comment: GPGTools - http://gpgtools.org
>
>iQIcBAEBCAAGBQJUZRClAAoJEBzwKT+lPKRYInEP/3R2et1gVF6Ws0cTZaoQCHxw
>Ss6XKOBpLdaHU2fSMlBYSiNKgBkFFZmv60zBL4t931nj/etEgMBYUPdURCc7jwTy
>IXkjn5O9et+yz+A0oy7VGTcEoDkQjqlQkBkcVxHp60D0F6VolXwPSp1q9vgAqOZ2
>EZob8Ig3KPJQEjAuaRrpAOdy3HK54eNkpapdty5OmYr+6vQZRBpLDu2WvQo6IFiD
>sY8eq6alryYw4kJFgjKMdNx0GMXdflWqOeYl8FOfjyC4G0+MzoxkfQKcAsO/0O+T
>xJtNC20wq8cy+Sbi30M+7U/gzhq5hQ35L8ZcqtsyrDBxeGpkgrX6xyZ9UVWFBfg9
>yUH2V0FOh0VBxf7CzZm9axxt4XKD62cNFceWxR/xVzoB6PB07l0WMDHO+uDHqw8A
>8dstM5C4657mGk4wzV74mcITlD6GsfsACU+Cmf+gN0eX04g8BT13d3ywkagD6nVp
>X8MdjosV/yZrmvSJKjp9fMBzWAyY+jyOp6j4ZqV/8Ctx/cJ0Czp5iFnIxQ2eGfUU
>EdwKvoUEayT7KseuEiH/ke9/IV7K2oUCHWQRq610B3lziEAWKXtKauQGYaG7muve
>9/sHD91rZQ/iXVOvbdxvTnmNUf6Rv7kG500euph+kKYxjNsplzKtvW3tvHixmC7q
>//XaOQGj8Tiix/yuuEX5
>=MC0o
>-----END PGP SIGNATURE-----
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Mime
View raw message