Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.

smartconnectors: Suport TLS SNI correctly

Idea ID 2746969

smartconnectors: Suport TLS SNI correctly

Hi,

I found an issue with the flex REST-API connector.

It is unable to handle SNI correctly i.e.

when you connecto to a server which servers more then one https URL, the connector does not follow the "SNI"  (https://en.wikipedia.org/wiki/Server_Name_Indication) correctly and gets the "server default certificate" instead of the cerificate it should get.

Example

- imagine there wold be a rest api running on URL https://lifeistoshort.com
- the server is also serving different URLs like https://icecreamforfree.com

the server presents for whatever reason, the certificate for icecreamforfree.com if you just call the IP/hostname - and thats what the smartconnector is doing.

if the SC would  "handle the TLS connection" correctly, the server would present the lifeistoshort.com certificate.

 

you can test this via asd

1) openssl s_client -showcerts -connect lifeistoshort.com:443
2) openssl s_client -showcerts -connect lifeistoshort.com:443 -servername lifeistoshort.com

in case 1 you get the icecreamforfree.com certificate and in
case 2 you get the right lifeistoshort.com certificate.

 

doing some research i found a hint for the solution, unsure if the code is already in place and it is an other issue however thi site https://bugs.openjdk.java.net/browse/JDK-8173168 says you should ude SSLParameters.setServerNames() to solve the issue.

I also file a SR for this: SD02590356

which has some more details, like pcaps etc.

looking forward for the FR to get implemented

Regard

A.

 

 

Tags (5)
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.