Trailing dot in hostname causes TLS handshake to fail

Tue, 11 Nov 2014 13:06:13 -0800 

Hi there,
I’m running into an issue with fully-qualified domain names and https 
using Tomcat 8 and JDK 8.
Tomcat version: 8.0.14
JDK Version: 1.8.0_25OS: Mac OS X 10.10

If you include the trailing dot in a request over https, the TLS handshake 
will fail. It appears that it tries to fall back to SSLv3, but if you have 
SSLv3 disabled, the whole thing just fails.

My SSL Connector looks like this:
<Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100"
                clientAuth="false" debug="1" disableUploadTimeout="true"
                enableLookups="false" keystoreFile="../keystore.jks"
                keystorePass="password" maxHttpHeaderSize="8192" 
keyAlias="selfsigned"
port="8443" protocol="org.apache.coyote.http11.Http11Protocol" 
scheme="https" secure="true"
                sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2">


https://localhost.:8443 in Chrome 38 returns 
ERR_SSL_VERSION_OR_CIPHER_MISMATCH.

The output from javax.net.debug=all contains this:
http-bio-8443-exec-5, handling exception: 
javax.net.ssl.SSLProtocolException: Illegal server name, 
type=host_name(0), name=localhost., value=6c:6f:63:61:6c:68:6f:73:74:2e

This looks like it’s being bubbled up from the SNIHostName constructor in 
Java 8 
(https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SNIHostName.html),
 which explicitly forbids trailing dots in hostnames (valid hostname, but 
not a valid SNI hostname). I’m not using SNI, but to make sure I set 
jsse.enableSNIExtension=false. The exception is still thrown, leading me 
to believe that the SNIHostName constructor is being called whether SNI is 
enabled or not.


Why not just remove the trailing dot? Well, it’s valid to be there, so why 
not support it. More importantly, we make use of this to get around TLS 
session caching as discussed here: 
https://developer.apple.com/library/ios/qa/qa1727/_index.html.


This issue is not present in Tomcat 7 or using Java 7. I have a small PoC 
I can zip up and host somewhere if anyone wants to take a look.

Does anyone know if this looks like a bug in Tomcat 8 or Java 8 and where 
I should submit a bug report if it does?

Thanks,
Peter

Reply via email to