Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SNI Support in Quarkus's Undertow websocket #23

Open
gorshkov-leonid opened this issue Apr 27, 2020 · 4 comments
Open

SNI Support in Quarkus's Undertow websocket #23

gorshkov-leonid opened this issue Apr 27, 2020 · 4 comments

Comments

@gorshkov-leonid
Copy link

gorshkov-leonid commented Apr 27, 2020

Hello, I am not a specialist in this question, but It seemed I have a problem because Quarkus does not support SNI extension in SSL. Although I tested it with HTTP rest-client and there were no problems.

Details:
*I have a the same problem, the same message and the same difference between rest's logs and websocket's logs:

*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1571238552 bytes = { 125, 241, 169, 6, 39, 103, 208, 112, 16, 73, 146, 115, 185, 122, 155, 35, 69, 225, 103, 209, 161, 159, 5, 137, 54, 165, 78, 99 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
***

vs

*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1571238202 bytes = { 191, 255, 75, 40, 82, 20, 198, 108, 27, 89, 101, 152, 184, 97, 12, 203, 201, 86, 244, 33, 33, 22, 183, 124, 59, 107, 104, 109 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension server_name, server_name: [type=host_name (0), value=myhost.com]
***

I decided to find where this extension is set in vertex (because HTTP rest-client works):

But in websockets-jsr I can't see any mentions of SNI and SSLEngine is created without host and port:

But I decided to check how things are going here: https://github.com/undertow-io/undertow/
And found that they suggest some SNISSLContextSpi

Could you help with an answer if it is a bug, or not?

@stuartwdouglas
Copy link
Member

stuartwdouglas commented Apr 28, 2020 via email

@gorshkov-leonid
Copy link
Author

gorshkov-leonid commented Apr 28, 2020

@stuartwdouglas , thank you. I checked the fix via java hot swap. Although a test failed It is working in my case. About releases how long does it take usually to prepare release? And while it is preparing, maybe you know any WA. I tried solution from this, but it is not working:

        URI uri = URI.create(webSocketUrl);
        SSLParameters sslParameters = new SSLParameters();
        sslParameters.setServerNames(singletonList(new SNIHostName(uri.getHost())));
        HttpsURLConnection.setDefaultSSLSocketFactory(
                new SSLSocketFactoryWrapper(
                        WebSocketClientSslProviderImpl.getSystemSslContext().getSocketFactory(),
                        sslParameters
                )
        );

Apparently factory is not used... Are you aware of something about it?

@stuartwdouglas
Copy link
Member

We don't use HttpsURLConnection

@gorshkov-leonid
Copy link
Author

gorshkov-leonid commented Apr 29, 2020

@stuartwdouglas , sorry for the bother. As I understand you do not know a workaround, are you? And when the next release is planned?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants