[
https://issues.apache.org/jira/browse/ARTEMIS-3968?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17599677#comment-17599677
]
Aaron Steigerwald commented on ARTEMIS-3968:
--------------------------------------------
I login to the web console using username and password.
Hopefully you can reproduce it with this info:
# Create self-signed cert.
keytool -genkey -keyalg RSA -alias test_selfsigned -keystore test_keystore.jks
-storepass password -validity 3600 -keysize 2048
# Export the public key.
keytool -export -keystore test_keystore.jks -alias test_selfsigned -file
test_keystore.cer
# Import the public cert into the test_truststore.jks trust store.
keytool -import -alias test_selfsigned -file test_keystore.cer -storetype JKS
-keystore test_truststore.jks -storepass password
bootstrap.xml web element:
<web bind="https://0.0.0.0:8163";
path="web"
keyStorePath="<path to test_keystore.jks>"
keyStorePassword="password"
trustStorePath="<path to test_truststore.jks>"
trustStorePassword="password"
clientAuth="false"
includedTLSProtocols="TLSv1.2">
<app url="activemq-branding" war="activemq-branding.war"/>
<app url="artemis-plugin" war="artemis-plugin.war"/>
<app url="console" war="console.war"/>
</web>
> Optionally disable Management UI HTTPS SNI host checking
> --------------------------------------------------------
>
> Key: ARTEMIS-3968
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3968
> Project: ActiveMQ Artemis
> Issue Type: Improvement
> Components: Web Console
> Affects Versions: 2.24.0
> Reporter: Aaron Steigerwald
> Priority: Major
>
> The Management UI, when configured to run in HTTPS mode, returns "HTTP ERROR
> 400 Invalid SNI" to the client browser if the web server's certificate
> (defined in the {{bootstrap.xml}} file's web element's {{keyStorePath}}
> attribute) does not contain the server's DNS name. It also prevents the
> browser from using "https://localhost...";. This makes running the broker in a
> dev and test environment difficult. A work around is to run it in HTTP mode
> but this prevents exercising the HTTPS parameters and certificates.
> I think the upgrade from Jetty 9.x to 10.x caused SNI host checking to be
> enabled by default or at least more strictly enforced.
> I disabled SNI host checking by modifying
> {{org.apache.activemq.artemis.component.WebServerComponent}} in the following
> way:
> Current 2.24.0 version:
> {code:java}
> httpConfiguration.addCustomizer(new SecureRequestCustomizer());{code}
> Modified 2.24.0 version to disable SNI host checking:
> {code:java}
> SecureRequestCustomizer secureRequestCustomizer = new
> SecureRequestCustomizer();
> secureRequestCustomizer.setSniHostCheck(false);
> httpConfiguration.addCustomizer(secureRequestCustomizer);{code}
> Adding another binding attribute to the {{bootstrap.xml}} file's web element,
> like "disableSniHostCheck", and using it to set
> "secureRequestCustomizer.setSniHostCheck(false)" would allow a configurable
> way to disable SNI host checking.
> -----
> The following is provided for reference:
> Server Name Indication (SNI)
> https://stackoverflow.com/questions/69945173/http-error-400-invalid-sni-jetty-https-servlet
> Search for "jetty.ssl.sniHostCheck" in
> https://www.eclipse.org/jetty/documentation/jetty-10/operations-guide/index.html
> {{artemis.log}} entries:
> {noformat}
> 2022-08-31 21:35:39,512 WARN [org.eclipse.jetty.server.HttpChannel]
> handleException /console org.eclipse.jetty.http.BadMessageException: 400:
> Invalid SNI
> 2022-08-31 21:35:39,560 WARN [org.eclipse.jetty.server.HttpChannel]
> handleException /favicon.ico org.eclipse.jetty.http.BadMessageException: 400:
> Invalid SNI{noformat}
> Browser message when trying to access https://localhost:8163/console with SNI
> host checking enabled and a certificate with a DNS entry that does not match
> the server:
> {noformat}
> HTTP ERROR 400 Invalid SNI
> URI: /console
> STATUS: 400
> MESSAGE: Invalid SNI
> SERVLET: -
> CAUSED BY: org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI
> Caused by:
> org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI
> at
> org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:266)
> at
> org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:207)
> at
> org.eclipse.jetty.server.HttpChannel.lambda$handle$0(HttpChannel.java:501)
> at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:762)
> at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:497)
> at
> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:282)
> at
> org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:319)
> at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
> at
> org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:558)
> at
> org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:379)
> at
> org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:146)
> at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
> at
> org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
> at
> org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:412)
> at
> org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:381)
> at
> org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:268)
> at
> org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.lambda$new$0(AdaptiveExecutionStrategy.java:138)
> at
> org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:407)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:894)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1038)
> at java.base/java.lang.Thread.run(Thread.java:829){noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
