Using an X509TrustManager with OPEN_SSL engine bypass hostname verification

[vietj]

Expected behavior

Using an X509TrustManager with OPEN_SSL engine should perform hostname verification.

Actual behavior

With JDK engine, when an X509TrustManager is passed in the SslContextBuilder, the returned X509TrustManager is wrapped by an X509ExtendedTrustManager that performs hostname verification, for instance here is a verification failure trace:

Caused by: java.security.cert.CertificateException: No name matching localhost_ found
	at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:221)
	at sun.security.util.HostnameChecker.match(HostnameChecker.java:95)
	at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
	at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:998)
	at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:937)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)

When using the OPEN_SSL engine, the checkServerTrusted(X509Certificate[] x509Certificates, String s) of X509TrustManager is called for verification purpose but it cannot perform the hostname validation as it does not have access to the engine that contains the parameters.

Steps to reproduce

https://github.com/vietj/netty-openssl-custom-trustmanager-verification-error

• change JDK engine to OPEN_SSL in the SslContextBuilder
• run the test : the hostname verification should fail

Minimal yet complete reproducer code (or URL to code)

Netty version

4.1.8.Final is used in the reproducer but it fails too with 4.1.9.Final

JVM version (e.g. java -version)

java version "1.8.0_92"

OS version (e.g. uname -a)

Darwin julien 15.6.0 Darwin Kernel Version 15.6.0: Fri Feb 17 10:21:18 PST 2017; root:xnu-3248.60.11.4.1~1/RELEASE_X86_64 x86_64
o

[normanmaurer]

@vietj would have been nice if it would be a netty only unit test :)

[vietj]

ah, I can convert it to pure Netty, I used Vert.x for setting up the server faster, but the important part is in Netty. I'll update it of course Norman, I just focused on providing something quickly :-)

[vietj]

updated with only netty code in the reproducer

[normanmaurer]

@vietj there is still vert.x code for the server. Can you change this as well ?

[vietj]

ah just look at the unit test TheTest, not the "Main" class, sorry for confusion.

[vietj]

I had open ssl classloading issues when running the main in Intellij so I moved all to a unit test with tcnative as scope test and it worked

[normanmaurer]

@vietj ah ok... thx will check

[Scottmitch]

4.1.8.Final is used in the reproducer but it fails too with 4.1.9.Final

The OpenSSL engine didn't support hostname verification before 4.1.9.Final [1]

[1] d8e6fbb

[Scottmitch]

You must also use netty-tcnative 2.0.0.Final [1] and OpenSSL 1.0.2+ (or boring ssl)

Since we build against 1.0.1 the dynamically linked netty-tcnative in maven central will not support this feature ... but it looks like you are want to use the statically linked BoringSSL so you should be fine.

[1] netty/netty-tcnative@df8f3b1

[normanmaurer]

I will investigate soon... Just need to find some time

[vietj]

@Scottmitch can you explain why it works with file Key/Cert and OpenSSL in 4.1.8 ?

[Scottmitch]

can you explain why it works with file Key/Cert and OpenSSL in 4.1.8 ?

You have a Main.java and a TheTest.java in your reproducer. I only looked at TheTest.java.
Prior to Netty 4.1.9.Final and netty-tcnative 2.0.0.Final while using the OpenSSL there was no association between calling SSLParamaters#setEndpointIdentificationAlgorithm and Netty instructing OpenSSL of the expected hostname to validate. However the JDK's SSLEngineImpl would validate the hostname. So that is why TheTest#doTest "works" (handshake is setup) when you use Netty's OpenSSL engine (no validation of the host name is done) but when you use JDK's SSLEngineImpl the test "does not work" (hostname validation is done, and localhost_ != localhost).

If there is another scenario with 4.1.9 which isn't working as expected please update the reproducer and I can take another look.

[vietj]

here is the validation with OpenSSL and Key/Cert:

Caused by: java.security.cert.CertificateException: No name matching localhost_ found
	at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:221)
	at sun.security.util.HostnameChecker.match(HostnameChecker.java:95)
	at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
	at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
	at io.netty.handler.ssl.ReferenceCountedOpenSslClientContext$ExtendedTrustManagerVerifyCallback.verify(ReferenceCountedOpenSslClientContext.java:223)