Merge pull request #1426 from Traderjoe95/hostname-verification-reproducer

Don't disable hostname verification for SQL clients unconditionally

Author: vietj

vertx-mysql-client/src/test/java/io/vertx/mysqlclient/MySQLTLSTest.java

@@ -13,6 +13,9 @@
 
 import io.vertx.core.Future;
 import io.vertx.core.Vertx;
+import io.vertx.core.VertxOptions;
+import io.vertx.core.buffer.Buffer;
+import io.vertx.core.dns.AddressResolverOptions;
 import io.vertx.core.net.PemKeyCertOptions;
 import io.vertx.core.net.PemTrustOptions;
 import io.vertx.ext.unit.TestContext;
@@ -260,6 +263,51 @@ public void testConnFailWithVerifyIdentitySslMode(TestContext ctx) {
     }));
   }
 
+  @Test
+  public void testTLSInvalidHostname(TestContext ctx) {
+    MySQLConnection.connect(
+      vertx,
+      options
+        .setSslMode(SslMode.VERIFY_IDENTITY)
+        // The hostname in the test certificate is mysql.vertx.test, so 'localhost' should make for a failed connection
+        .setHost("localhost")
+        .setHostnameVerificationAlgorithm("HTTPS")
+        .setPemTrustOptions(new PemTrustOptions().addCertPath("tls/files/ca.pem"))
+        .setPemKeyCertOptions(new PemKeyCertOptions()
+          .setCertPath("tls/files/client-cert.pem")
+          .setKeyPath("tls/files/client-key.pem")),
+      ctx.asyncAssertFailure(err -> {
+        ctx.assertEquals(err.getMessage(), "No name matching localhost found");
+      }));
+  }
+
+  @Test
+  public void testTLSCorrectHostname(TestContext ctx) {
+    Vertx vertxWithHosts = Vertx.vertx(
+      new VertxOptions()
+        .setAddressResolverOptions(
+          new AddressResolverOptions()
+            .setHostsValue(Buffer.buffer("127.0.0.1 mysql.vertx.test\n"))
+        )
+    );
+
+    MySQLConnection.connect(
+      vertxWithHosts,
+      options
+        .setSslMode(SslMode.VERIFY_IDENTITY)
+        // The hostname in the test certificate is mysql.vertx.test
+        .setHost("mysql.vertx.test")
+        .setHostnameVerificationAlgorithm("HTTPS")
+        .setPemTrustOptions(new PemTrustOptions().addCertPath("tls/files/ca.pem"))
+        .setPemKeyCertOptions(new PemKeyCertOptions()
+          .setCertPath("tls/files/client-cert.pem")
+          .setKeyPath("tls/files/client-key.pem")),
+      ctx.asyncAssertSuccess(conn -> {
+        ctx.assertTrue(conn.isSSL());
+        vertxWithHosts.close();
+      }));
+  }
+
   @Test
   public void testConnFail(TestContext ctx) {
     options.setSslMode(SslMode.REQUIRED);

vertx-mysql-client/src/test/resources/tls/files/server-cert.pem

@@ -1,19 +1,21 @@
 -----BEGIN CERTIFICATE-----
-MIIDBDCCAeygAwIBAgIBAjANBgkqhkiG9w0BAQsFADA8MTowOAYDVQQDDDFNeVNR
-TF9TZXJ2ZXJfOC4wLjE3X0F1dG9fR2VuZXJhdGVkX0NBX0NlcnRpZmljYXRlMB4X
-DTE5MDkwMjAzMjc1MVoXDTI5MDgzMDAzMjc1MVowQDE+MDwGA1UEAww1TXlTUUxf
-U2VydmVyXzguMC4xN19BdXRvX0dlbmVyYXRlZF9TZXJ2ZXJfQ2VydGlmaWNhdGUw
-ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDg00pPuJv078OExAy7wfx/
-YsPiukl+OpyQAuF/45La5yDIwx3v55MxYqkX9TCuAIZUprWVllf51sOkNHsB/skC
-ZCYiXFlPmi9nCiK4TAuqN5c0rdjVdn8eFt4/CeAzHDC2bvoKbnOwDLKtponqbW8u
-nYkXWQDAxYyojxIUc3wNuyPkefFTkEjuIl3DyhyKZhfFPg0mbDB8t91gSB6oBrEa
-K9LMHJ4fWDsOSRLru8wUXPdstMD8zqKQjVfvG/4U5gb+dYycaZ+cRmPgHjarI+St
-R2ZG9wXs/J1wllciz4fr0je7+R2j7HHKqTY6JqSz0hZjd1Hej2zWAho1K5KqkDbt
-AgMBAAGjDTALMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAAb0+bViRmYt
-Enm/jDGyGFCUGCbh8xnxREBLe3SZZTaJ8mVJOZ9wsC7NBCEqkgt6FzcSxIftF0Iz
-ppYpL0XqyYRMHnrtWZBzgkflhTltdNhVTl4sdfrYxJ7kAJ//WSk/wGsa6U7jD5SW
-I3rWfGOcVbnRA+rBDxslg7hSbnoIH19FUBqiIsAMQgSm1/6zlOsA7VPFvSVojSI8
-oGbOOmFsX/Jm793TJvT5ly8ZOCF/EMD+QnK/pS8BiDbTYauvU5Rzfl4fEQVW55YL
-YQAdSj/sUYAcv47Qlx7hp1GrLWHgVynTIC+kwEWKczNQofhL6Ewh3QutiwwD39+K
-KmqT2KQLyKA=
+MIIDZDCCAkygAwIBAgIUfAA0jelPI0Xwr+tkPO8Oz7OnNZkwDQYJKoZIhvcNAQEN
+BQAwPDE6MDgGA1UEAwwxTXlTUUxfU2VydmVyXzguMC4xN19BdXRvX0dlbmVyYXRl
+ZF9DQV9DZXJ0aWZpY2F0ZTAeFw0yNDAzMTExNTE2MDVaFw00NDAzMDYxNTE2MDVa
+MBsxGTAXBgNVBAMMEG15c3FsLnZlcnR4LnRlc3QwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQDg00pPuJv078OExAy7wfx/YsPiukl+OpyQAuF/45La5yDI
+wx3v55MxYqkX9TCuAIZUprWVllf51sOkNHsB/skCZCYiXFlPmi9nCiK4TAuqN5c0
+rdjVdn8eFt4/CeAzHDC2bvoKbnOwDLKtponqbW8unYkXWQDAxYyojxIUc3wNuyPk
+efFTkEjuIl3DyhyKZhfFPg0mbDB8t91gSB6oBrEaK9LMHJ4fWDsOSRLru8wUXPds
+tMD8zqKQjVfvG/4U5gb+dYycaZ+cRmPgHjarI+StR2ZG9wXs/J1wllciz4fr0je7
++R2j7HHKqTY6JqSz0hZjd1Hej2zWAho1K5KqkDbtAgMBAAGjfzB9MAwGA1UdEwEB
+/wQCMAAwHQYDVR0OBBYEFIiHxyASKXMPzKI/uDEi36Afv6ExME4GA1UdIwRHMEWh
+QKQ+MDwxOjA4BgNVBAMMMU15U1FMX1NlcnZlcl84LjAuMTdfQXV0b19HZW5lcmF0
+ZWRfQ0FfQ2VydGlmaWNhdGWCAQEwDQYJKoZIhvcNAQENBQADggEBAAPIZqs8818j
+7+J6W7WDYlmVRyDK1BH/16/tAAUGSo7IJt09bSp6bm2eAlEp9nDgLLTQSPjfGz+f
+Zp1OIdeeKouOFeZfZ5924n7RS1eP49PGD2ZTpk551Rnthni7isL8fOwBx+kZzUIM
+7AQaEi8By5wpwcfNowSMlKR/Wm9OTGqZmmHSixK3HrI6yvHDJwe7fZ6dAl9DDViX
+j0hAQnuROsWz3aZkTF3DJ+CGlYjdQvArrazNgsrBbRvAH7VoGYICxahEYMRenXxz
+1Y1ITH7Mi/+53HQge/RoMCVSNQuyVgr3i5fgz5P+GFxdFc0HCC9uanD/PcObOhBs
+38m1J0pH5Q4=
 -----END CERTIFICATE-----

vertx-pg-client/src/test/java/io/vertx/pgclient/TLSTest.java

@@ -18,6 +18,9 @@
 package io.vertx.pgclient;
 
 import io.vertx.core.Vertx;
+import io.vertx.core.VertxOptions;
+import io.vertx.core.buffer.Buffer;
+import io.vertx.core.dns.AddressResolverOptions;
 import io.vertx.core.net.PemTrustOptions;
 import io.vertx.ext.unit.Async;
 import io.vertx.ext.unit.TestContext;
@@ -94,6 +97,49 @@ public void testTLSInvalidCertificate(TestContext ctx) {
     }));
   }
 
+  @Test
+  public void testTLSInvalidHostname(TestContext ctx) {
+    Async async = ctx.async();
+    PgConnection.connect(
+      vertx,
+      ruleOptionalSll.options()
+        .setSslMode(SslMode.VERIFY_FULL)
+        // The hostname in the test certificate is thebrain.ca, so 'localhost' should make for a failed connection
+        .setHost("localhost")
+        .setHostnameVerificationAlgorithm("HTTPS")
+        .setPemTrustOptions(new PemTrustOptions().addCertPath("tls/server.crt")),
+      ctx.asyncAssertFailure(err -> {
+        ctx.assertEquals(err.getMessage(), "SSL handshake failed");
+        async.complete();
+      }));
+  }
+
+  @Test
+  public void testTLSCorrectHostname(TestContext ctx) {
+    Vertx vertxWithHosts = Vertx.vertx(
+      new VertxOptions()
+        .setAddressResolverOptions(
+          new AddressResolverOptions()
+            .setHostsValue(Buffer.buffer("127.0.0.1 thebrain.ca\n"))
+        )
+    );
+
+    Async async = ctx.async();
+    PgConnection.connect(
+      vertxWithHosts,
+      ruleOptionalSll.options()
+        .setSslMode(SslMode.VERIFY_FULL)
+        // The hostname in the test certificate is thebrain.ca
+        .setHost("thebrain.ca")
+        .setHostnameVerificationAlgorithm("HTTPS")
+        .setPemTrustOptions(new PemTrustOptions().addCertPath("tls/server.crt")),
+      ctx.asyncAssertSuccess(conn -> {
+        ctx.assertTrue(conn.isSSL());
+        vertxWithHosts.close();
+        async.complete();
+      }));
+  }
+
   @Test
   public void testSslModeDisable(TestContext ctx) {
     Async async = ctx.async();

vertx-pg-client/src/test/resources/tls/ssl.sh

@@ -58,7 +58,11 @@ protected NetClient netClient(NetClientOptions options) {
     if (options.getClass() != NetClientOptions.class) {
       options = new NetClientOptions(options);
     }
-    options.setHostnameVerificationAlgorithm("");
+
+    if (options.getHostnameVerificationAlgorithm() == null) {
+      options.setHostnameVerificationAlgorithm("");
+    }
+
     JsonObject key = options.toJson();
     NetClient client;
     synchronized (this) {