Support non-standard domains in X509

[sbordet]

Jetty version
9.4.x

Description
Class X509 seems to discard domains that don't have a dot or that have a space in the CN, but there is no correspondent check for SAN.

X509 should be more lenient and allow for domains such as localhost or [::1], because clients may send such domains as SNI.

Note that Java clients don't send SNIs that are non-standard:
https://github.com/openjdk/jdk/blob/jdk-16-ga/src/java.base/share/classes/sun/security/ssl/Utilities.java#L104-L107
However, it is possible to send them via APIs.

In case the APIs are used to send non-standard domains as SNI, Jetty on the server should be able to match them.

[sbordet]

Aggregated into #6276.

[30010041]

Hello, friend.
Jetty version
9.4.42.v20210604
Description
Class X509 removes restriction

However, Class SslContextFactory does not perform corresponding processing. As a result, an exception is reported when both DNS and CN exist.

[sbordet]

@30010041 sorry your report is not clear.
Please make an example of a domain that does not work.

[joakime]

That seems like it should be a new issue as well.

[30010041]

Hello, when the certificate contains both DNS and CN and the values are not the same

1.” if (cn != null && cn.contains(".") && !cn.contains(" ")){”restriction is removed from class X509. When the addName method of class X509 is invoked, two pieces of data "localhost" and "127.0.0.1" are added.

2.the SslContextFactory class does not perform corresponding processing. In this case, "_certHosts.size > 1". As a result, an exception is reported .

[sbordet]

@30010041 still not clear.

First, a DNS name of 127.0.0.1 is illegal, it must be a host name, not an IP address.
Second, _certHosts.size > 1 is correct because you have 2 names for that certificate, localhost and 127.0.0.1.

What exception do you get? Please report the whole stack trace.

[30010041]

The value of DNS is “duckduckgo.com“. The value of CN is “localhost“.
It's the same kind of problem.

java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)

[sbordet]

@30010041 please read the exception message carefully.

The problem is not in the certificate handling like you think, it's that you have to use the correct SslContextFactory subclass as the exception reports.

[30010041]

@sbordet hello friend
First, one certificate contains both DNS and CN information, not multiple certificates.
Second, "if (cn != null && cn.contains(".") && !cn.contains(" ")){" is deleted from class X509 in version 9.4.42, the semantics are changed. As a result, "_certHosts.size > 1" is abnormal.

[sbordet]

@30010041 you insist reporting a single if statement, without ever reporting what the problem is.
That you insist to say that the line is wrong is not enough evidence that there is a problem.
As I said, the exception you get is not due to the line you report, which is correct, but to the fact that you're using the wrong SslContextFactory subclass.

[joakime]

java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)

@30010041 that error message is telling you what you need to do.

We cannot pick the one you should be using for you, only you and your specific usage of SslContextFactory determines that.
You MUST pick one of those two specific sub-types for your specific Keystore demands (you have multiple certificates, as reported in that error)
Make that change in your code and try again.

If you don't make this change in your code, or don't want to make this change in your code, then there is nothing more we can do to help you.