Merge pull request wildfly#17966 from pferraro/WFLY-19441

WFLY-19441 Decouple SNI host name configuration from physical hostnames and auto-disable hostname validation when unspecified.
bstansberry · Jul 11, 2024 · e0e8d4d · e0e8d4d
2 parents 38573d6 + 906343d
commit e0e8d4d
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 23 deletions.
diff --git a/...ing/infinispan/subsystem/remote/RemoteCacheContainerConfigurationServiceConfigurator.java b/...ing/infinispan/subsystem/remote/RemoteCacheContainerConfigurationServiceConfigurator.java
@@ -5,15 +5,12 @@
 
 package org.jboss.as.clustering.infinispan.subsystem.remote;
 
-import java.net.InetAddress;
 import java.util.ArrayList;
 import java.util.EnumMap;
 import java.util.HashMap;
-import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Properties;
-import java.util.Set;
 import java.util.concurrent.TimeUnit;
 import java.util.function.Consumer;
 import java.util.function.Function;
@@ -32,7 +29,6 @@
 import org.infinispan.client.hotrod.configuration.ExecutorFactoryConfiguration;
 import org.infinispan.client.hotrod.configuration.SecurityConfiguration;
 import org.infinispan.client.hotrod.configuration.ServerConfigurationBuilder;
-import org.infinispan.client.hotrod.configuration.SslConfiguration;
 import org.infinispan.commons.marshall.Marshaller;
 import org.infinispan.commons.util.AggregatedClassLoader;
 import org.jboss.as.clustering.controller.CapabilityServiceNameProvider;
@@ -63,7 +59,6 @@
 import org.wildfly.clustering.service.ServiceConfigurator;
 import org.wildfly.clustering.service.ServiceSupplierDependency;
 import org.wildfly.clustering.service.SupplierDependency;
-import org.wildfly.common.net.Inet;
 
 /**
  * @author Radoslav Husar
@@ -186,33 +181,18 @@ public Configuration get() {
         for (Map.Entry<String, List<SupplierDependency<OutboundSocketBinding>>> entry : this.clusters.entrySet()) {
             String clusterName = entry.getKey();
             ClusterConfigurator<? extends ConfigurationChildBuilder> configurator = this.defaultRemoteCluster.equals(clusterName) ? DefaultClusterConfigurator.INSTANCE : new NonDefaultClusterConfigurator(clusterName);
-            this.configureCluster(builder, configurator, entry.getValue());
+            configureCluster(builder, configurator, entry.getValue());
         }
 
         return builder.build();
     }
 
-    private <C extends ConfigurationChildBuilder> void configureCluster(ConfigurationBuilder builder, ClusterConfigurator<C> configurator, List<SupplierDependency<OutboundSocketBinding>> bindingDependencies) {
-        SslConfiguration ssl = this.security.get().ssl();
+    private static <C extends ConfigurationChildBuilder> void configureCluster(ConfigurationBuilder builder, ClusterConfigurator<C> configurator, List<SupplierDependency<OutboundSocketBinding>> bindingDependencies) {
         C cluster = configurator.addCluster(builder);
-        // Track unique source addresses.  Ideally, there are no more than one.
-        Set<InetAddress> sourceAddresses = new HashSet<>(bindingDependencies.size());
         for (Supplier<OutboundSocketBinding> bindingDependency : bindingDependencies) {
             OutboundSocketBinding binding = bindingDependency.get();
-            sourceAddresses.add(binding.getSourceAddress());
             configurator.getBindingConsumer(cluster).accept(binding.getUnresolvedDestinationAddress(), binding.getDestinationPort());
         }
-        if (ssl.enabled()) {
-            // We can only use hostname validation if all socket bindings share the same interface and must specify a host name
-            String hostname = (sourceAddresses.size() == 1) ? Inet.getHostNameIfResolved(sourceAddresses.iterator().next()) : null;
-            if (hostname != null) {
-                // Apply server name indication
-                configurator.getSNIHostNameConsumer(cluster).accept(hostname);
-            } else {
-                // Disable hostname validation if unsupported by configuration
-                builder.security().ssl().hostnameValidation(false);
-            }
-        }
     }
 
     interface ClusterConfigurator<B extends ConfigurationChildBuilder> {

diff --git a/...java/org/jboss/as/clustering/infinispan/subsystem/remote/SecurityServiceConfigurator.java b/...java/org/jboss/as/clustering/infinispan/subsystem/remote/SecurityServiceConfigurator.java
@@ -50,7 +50,7 @@ public <T> ServiceBuilder<T> register(ServiceBuilder<T> builder) {
     public SecurityConfiguration get() {
         SecurityConfigurationBuilder securityBuilder = new ConfigurationBuilder().security();
         SSLContext sslContext = (this.sslContextDependency != null) ? this.sslContextDependency.get() : null;
-        securityBuilder.ssl().sslContext(sslContext).enabled(sslContext != null);
+        securityBuilder.ssl().hostnameValidation(false).sslContext(sslContext).enabled(sslContext != null);
         return securityBuilder.create();
     }
 }