Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid SNI Request #749

Closed
andle opened this issue Jan 26, 2022 · 5 comments
Closed

Invalid SNI Request #749

andle opened this issue Jan 26, 2022 · 5 comments

Comments

@andle
Copy link

andle commented Jan 26, 2022

Checklist

  • [ x] I checked other issues already, but found no answer/solution
  • [ x] I checked the documentation and wiki, but found no answer/solution
  • [ x] I am running the latest version and the issue still occurs
  • [ x] I am sure that this issue is about SteVe (and not about the charging station software or something unrelated to SteVe)

Specifications

SteVe Version     : ...
Operating system  : Ubuntu 20
JDK               : 11.0.13
Database          : MariaDB 10.3.32

Expected Behavior

Login page to Web Interface accessible, and chargers connect to server.

Actual Behavior

SNI Errors:

'WARN ] 2022-01-26 17:33:59,802 org.eclipse.jetty.server.HttpChannel - handleException /steve/manager/home org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI
[WARN ] 2022-01-26 17:34:00,301 org.eclipse.jetty.server.HttpChannel - handleException /favicon.ico org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI'

Steps to Reproduce the Problem

  1. Pulled latest from git
  2. Clean, build, restart.
  3. Go to web url...

Additional context

Logs show SNI errors for both the web connection as well as charger socket connections.
Tried updating certificate, rebuilding, still getting error.
@andle
Copy link
Author

andle commented Jan 26, 2022
edited
Loading

Went back to 6c4c637 from Dec 25th, and problem is not present there. Some issue with current HEAD.

@goekay goekay added the bug label Jan 26, 2022
@goekay
Copy link
Member

goekay commented Jan 26, 2022

thanks @andle, i can reproduce.

the problem happens with HEAD after we migrated from 9.x to jetty 10.x.

the problem is no more there, if i checkout a commit before the respective changes in #747

i am looking into it.

@goekay
Copy link
Member

goekay commented Jan 27, 2022

if we modify the following line

https://github.com/RWTH-i5-IDSG/steve/blob/5619987870c17c3c8c88d6e7ff2faf406272dcde/src/main/java/de/rwth/idsg/steve/JettyServer.java#L144

to

httpsConfig.addCustomizer(new SecureRequestCustomizer(false));

it will set sniHostCheck to false instead of true, basically disabling SNI. i am not sure about the security implications of this, since i am not that familiar with SNI and SSL mechanisms.

@goekay
Copy link
Member

goekay commented Jan 29, 2022

hey @andle, after further inspection, i found out that the SNI handling was reworked in jetty 10.x for tighter checking: jetty/jetty.project#5379

what was 200 OK back then, should have been 400. therefore, i consider it "works as intended". this means that you probably should recreate your certificates with the expected requirements.

@goekay goekay removed the bug label Jan 31, 2022
@andle
Copy link
Author

andle commented Feb 8, 2022

A note for anyone running into this issue and using java keytool:
Add "-ext san=ip:192.168.0.1", or whatever your server ip is, to keytool certificate creation commands to remedy the error.
See https://stackoverflow.com/questions/8744607/how-to-add-subject-alernative-name-to-ssl-certs

@andle andle closed this as completed Feb 8, 2022
@goekay goekay mentioned this issue Apr 14, 2022
Closed
@goekay goekay mentioned this issue Sep 7, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@goekay @andle