commit 2c522795166c930741a9cecca76797bf48cb1634 Author: Mark Thomas Date: Mon Jun 18 19:45:13 2018 +0000 Enable host name verification for secure WebSocket client connections by default. git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk@1833760 13f79535-47bb-0310-9956-ffa450edef68 diff --git a/java/org/apache/tomcat/websocket/WsWebSocketContainer.java b/java/org/apache/tomcat/websocket/WsWebSocketContainer.java index ac5122a89c..b526022958 100644 --- java/org/apache/tomcat/websocket/WsWebSocketContainer.java +++ java/org/apache/tomcat/websocket/WsWebSocketContainer.java @@ -53,6 +53,7 @@ import java.util.concurrent.TimeoutException; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLException; +import javax.net.ssl.SSLParameters; import javax.net.ssl.TrustManagerFactory; import javax.websocket.ClientEndpoint; import javax.websocket.ClientEndpointConfig; @@ -363,7 +364,7 @@ public class WsWebSocketContainer // proxy CONNECT, need to use TLS from this point on so wrap the // original AsynchronousSocketChannel SSLEngine sslEngine = createSSLEngine( - clientEndpointConfiguration.getUserProperties()); + clientEndpointConfiguration.getUserProperties(), host, port); channel = new AsyncChannelWrapperSecure(socketChannel, sslEngine); } else if (channel == null) { // Only need to wrap as this point if it wasn't wrapped to process a @@ -931,7 +932,7 @@ public class WsWebSocketContainer } - private SSLEngine createSSLEngine(Map userProperties) + private SSLEngine createSSLEngine(Map userProperties, String host, int port) throws DeploymentException { try { @@ -979,7 +980,7 @@ public class WsWebSocketContainer } } - SSLEngine engine = sslContext.createSSLEngine(); + SSLEngine engine = sslContext.createSSLEngine(host, port); String sslProtocolsValue = (String) userProperties.get(SSL_PROTOCOLS_PROPERTY); @@ -989,6 +990,14 @@ public class WsWebSocketContainer engine.setUseClientMode(true); + // Enable host verification + // Start with current settings (returns a copy) + SSLParameters sslParams = engine.getSSLParameters(); + // Use HTTPS since WebSocket starts over HTTP(S) + sslParams.setEndpointIdentificationAlgorithm("HTTPS"); + // Write the parameters back + engine.setSSLParameters(sslParams); + return engine; } catch (Exception e) { throw new DeploymentException(sm.getString( diff -up webapps/docs/changelog.xml.orig webapps/docs/changelog.xml --- webapps/docs/changelog.xml.orig 2019-03-01 09:38:54.202817893 -0500 +++ webapps/docs/changelog.xml 2019-03-01 09:39:29.413704569 -0500 @@ -84,6 +84,14 @@ + + + + Enable host name verification when using TLS with the WebSocket client. + (markt) + + +
diff -up webapps/docs/web-socket-howto.xml.orig webapps/docs/web-socket-howto.xml --- webapps/docs/web-socket-howto.xml.orig 2019-03-01 12:46:34.515904379 -0500 +++ webapps/docs/web-socket-howto.xml 2019-03-01 12:51:00.900175575 -0500 @@ -148,10 +148,21 @@ implement its own timeout mechanism to h
  • org.apache.tomcat.websocket.SSL_TRUSTSTORE_PWD

    • The default truststore password is changeit.

    -

    If the org.apache.tomcat.websocket.SSL_CONTEXT property is - set then the org.apache.tomcat.websocket.SSL_TRUSTSTORE and - org.apache.tomcat.websocket.SSL_TRUSTSTORE_PWD properties - will be ignored.

    + +

    If the org.apache.tomcat.websocket.SSL_CONTEXT property is + set then the org.apache.tomcat.websocket.SSL_TRUSTSTORE and + org.apache.tomcat.websocket.SSL_TRUSTSTORE_PWD properties + will be ignored.

    + +

    For secure server end points, host name verification is enabled by default. + To bypass this verification (not recommended), it is necessary to provide a + custom SSLContext via the + org.apache.tomcat.websocket.SSL_CONTEXT user property. The + custom SSLContext must be configured with a custom + TrustManager that extends + javax.net.ssl.X509ExtendedTrustManager. The desired verification + (or lack of verification) can then be controlled by appropriate + implementations of the individual abstract methods.