trafficcontrol-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From raw...@apache.org
Subject [trafficcontrol] branch master updated: Use exact matching of requested name to certificate for SNI fields
Date Mon, 17 Sep 2018 19:09:24 GMT
This is an automated email from the ASF dual-hosted git repository.

rawlin pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git


The following commit(s) were added to refs/heads/master by this push:
     new 18f7cb3  Use exact matching of requested name to certificate for SNI fields
18f7cb3 is described below

commit 18f7cb35eabed9739009338a0c7b1ad31fdb9780
Author: Eric Friedrich <efriedri@cisco.com>
AuthorDate: Fri Sep 14 09:30:54 2018 -0400

    Use exact matching of requested name to certificate for SNI fields
---
 CHANGELOG.md                                           |  3 +++
 .../traffic_router/secure/KeyManager.java              | 18 ++++++++++++++----
 2 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2734bde..59f5ac1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -17,6 +17,9 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 - Traffic Monitor Client Update: Traffic Monitor is updated to use the Traffic Ops v13 client.
 - Removed previously deprecated `traffic_monitor_java`
 
+### Changed
+- Issue 2821: Fixed "Traffic Router may choose wrong certificate when SNI names overlap"
+
 ## [2.2.0] - 2018-06-07
 ### Added
 - Per-DeliveryService Routing Names: you can now choose a Delivery Service's Routing Name
(rather than a hardcoded "tr" or "edge" name). This might require a few pre-upgrade steps
detailed [here](http://traffic-control-cdn.readthedocs.io/en/latest/admin/traffic_ops/migration_from_20_to_22.html#per-deliveryservice-routing-names)
diff --git a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/KeyManager.java
b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/KeyManager.java
index 1c2df67..2996cb0 100644
--- a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/KeyManager.java
+++ b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/KeyManager.java
@@ -29,6 +29,7 @@ import java.security.PrivateKey;
 import java.security.cert.X509Certificate;
 import java.util.List;
 import java.util.Optional;
+import java.util.stream.Collectors;
 
 // Uses the in memory CertificateRegistry to provide dynamic key and certificate management
for the router
 // The provided default implementation does not allow for the key store to change state
@@ -87,11 +88,19 @@ public class KeyManager extends X509ExtendedKeyManager implements X509KeyManager
 			final String sniString = new String(requestedName.getEncoded());
 			stringBuilder.append(sniString);
 
-			final Optional<String> optionalAlias = certificateRegistry.getAliases().stream().filter(sniString::contains).findFirst();
-			if (optionalAlias.isPresent()) {
-				log.info("KeyManager: FOUND certificate registry aliases matching " + optionalAlias.get());
-				return optionalAlias.get();
+			final List<String> partialAliasMatches = certificateRegistry.getAliases().stream().filter(sniString::contains).collect(Collectors.toList());
+			Optional<String> alias = partialAliasMatches.stream().filter(sniString::contentEquals).findFirst();
+			if (alias.isPresent()) {
+			    return alias.get();
 			}
+
+			// Not an exact match, some of the aliases may have had the leading zone removed
+			final String sniStringTrimmed = sniString.substring(sniString.indexOf('.') + 1);
+			alias = partialAliasMatches.stream().filter(sniStringTrimmed::contentEquals).findFirst();
+			if (alias.isPresent()) {
+			    return alias.get();
+			}
+
 		}
 
 		if (stringBuilder.length() > 0) {
@@ -102,6 +111,7 @@ public class KeyManager extends X509ExtendedKeyManager implements X509KeyManager
 		return null;
 	}
 
+
 	@Override
 	public X509Certificate[] getCertificateChain(final String alias) {
 		final HandshakeData handshakeData = certificateRegistry.getHandshakeData(alias);


Mime
View raw message