[tomcat] 04/05: Ensure SSLHostConfig lookups for SNI from OpenSSL are case insensitive

Thu, 28 Jan 2021 03:10:03 -0800 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit 86a6a143e776e2fd03898ba7cdd348d346b726ae
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Jan 28 10:16:00 2021 +0000

    Ensure SSLHostConfig lookups for SNI from OpenSSL are case insensitive
    
    This is the fourth part of the fix to make mapping of SNI values to SSL
    virtual hosts case insensitive.
---
 java/org/apache/tomcat/jni/SSLContext.java            |  8 ++++++--
 java/org/apache/tomcat/util/net/AbstractEndpoint.java | 13 ++++++++++++-
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/java/org/apache/tomcat/jni/SSLContext.java 
b/java/org/apache/tomcat/jni/SSLContext.java
index e0759b3..8c2f9b9 100644
--- a/java/org/apache/tomcat/jni/SSLContext.java
+++ b/java/org/apache/tomcat/jni/SSLContext.java
@@ -17,6 +17,7 @@
 
 package org.apache.tomcat.jni;
 
+import java.util.Locale;
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
 
@@ -416,7 +417,9 @@ public final class SSLContext {
         if (sniCallBack == null) {
             return 0;
         }
-        return sniCallBack.getSslContext(sniHostName);
+        // Can't be sure OpenSSL is going to provide the SNI value in lower 
case
+        // so convert it before looking up the SSLContext
+        return 
sniCallBack.getSslContext(sniHostName.toLowerCase(Locale.ENGLISH));
     }
 
     /**
@@ -470,7 +473,8 @@ public final class SSLContext {
          * This callback is made during the TLS handshake when the client uses
          * the SNI extension to request a specific TLS host.
          *
-         * @param sniHostName The host name requested by the client
+         * @param sniHostName The host name requested by the client - must be 
in
+         *                    lower case
          *
          * @return The Java representation of the pointer to the OpenSSL
          *         SSLContext to use for the given host or zero if no 
SSLContext
diff --git a/java/org/apache/tomcat/util/net/AbstractEndpoint.java 
b/java/org/apache/tomcat/util/net/AbstractEndpoint.java
index 1583faf..504074f 100644
--- a/java/org/apache/tomcat/util/net/AbstractEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AbstractEndpoint.java
@@ -386,7 +386,18 @@ public abstract class AbstractEndpoint<S,U> {
     }
 
 
-
+    /**
+     * Look up the SSLHostConfig for the given host name. Lookup order is:
+     * <ol>
+     * <li>exact match</li>
+     * <li>wild card match</li>
+     * <li>default SSLHostConfig</li>
+     * </ol>
+     *
+     * @param sniHostName   Host name - must be in lower case
+     *
+     * @return The SSLHostConfig for the given host name.
+     */
     protected SSLHostConfig getSSLHostConfig(String sniHostName) {
         SSLHostConfig result = null;
 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to