diff --git a/docs/guides/server/keycloak-truststore.adoc b/docs/guides/server/keycloak-truststore.adoc index dfd3f6e7bf7..963a6152153 100644 --- a/docs/guides/server/keycloak-truststore.adoc +++ b/docs/guides/server/keycloak-truststore.adoc @@ -29,7 +29,7 @@ It is still possible to directly set your own `javax.net.ssl` truststore System You may refine how hostnames are verified by TLS connections with the `tls-hostname-verifier` property. * `DEFAULT` (the default) allows wildcards in subdomain names (e.g. *.foo.com) to match names with the same number of levels (e.g. a.foo.com, but not a.b.foo.com) - with rules and exclusions for public suffixes based upon https://publicsuffix.org/list/ -* `ANY` means that the hostname is not verified. +* `ANY` means that the hostname is not verified - this mode should not be used in production. * `WILDCARD` (deprecated) allows wildcards in subdomain names (e.g. *.foo.com) to match anything, including multiple levels (e.g. a.b.foo.com). Use DEFAULT instead. * `STRICT` (deprecated) allows wildcards in subdomain names (e.g. *.foo.com) to match names with the same number of levels (e.g. a.foo.com, but not a.b.foo.com) - with some limited exclusions. Use DEFAULT instead. + diff --git a/quarkus/config-api/src/main/java/org/keycloak/config/TruststoreOptions.java b/quarkus/config-api/src/main/java/org/keycloak/config/TruststoreOptions.java index 3cd98683d97..1d20a2bdd32 100644 --- a/quarkus/config-api/src/main/java/org/keycloak/config/TruststoreOptions.java +++ b/quarkus/config-api/src/main/java/org/keycloak/config/TruststoreOptions.java @@ -13,7 +13,7 @@ public class TruststoreOptions { public static final Option HOSTNAME_VERIFICATION_POLICY = new OptionBuilder<>("tls-hostname-verifier", HostnameVerificationPolicy.class) .category(OptionCategory.TRUSTSTORE) - .description("The TLS hostname verification policy for out-going HTTPS and SMTP requests.") + .description("The TLS hostname verification policy for out-going HTTPS and SMTP requests. ANY should not be used in production.") .defaultValue(HostnameVerificationPolicy.DEFAULT) .deprecatedValues("STRICT and WILDCARD have been deprecated, use DEFAULT instead.", HostnameVerificationPolicy.STRICT, HostnameVerificationPolicy.WILDCARD) .build(); diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testExportHelp.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testExportHelp.approved.txt index 00d72240a5a..0d682945420 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testExportHelp.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testExportHelp.approved.txt @@ -147,8 +147,8 @@ Truststore: --tls-hostname-verifier The TLS hostname verification policy for out-going HTTPS and SMTP requests. - Possible values are: ANY, WILDCARD (deprecated), STRICT (deprecated), - DEFAULT. Default: DEFAULT. + ANY should not be used in production. Possible values are: ANY, WILDCARD + (deprecated), STRICT (deprecated), DEFAULT. Default: DEFAULT. --truststore-paths List of pkcs12 (p12 or pfx file extensions), PEM files, or directories containing those files that will be used as a system truststore. diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testExportHelpAll.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testExportHelpAll.approved.txt index 7294a04863e..5a7d9521bb8 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testExportHelpAll.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testExportHelpAll.approved.txt @@ -245,8 +245,8 @@ Truststore: --tls-hostname-verifier The TLS hostname verification policy for out-going HTTPS and SMTP requests. - Possible values are: ANY, WILDCARD (deprecated), STRICT (deprecated), - DEFAULT. Default: DEFAULT. + ANY should not be used in production. Possible values are: ANY, WILDCARD + (deprecated), STRICT (deprecated), DEFAULT. Default: DEFAULT. --truststore-paths List of pkcs12 (p12 or pfx file extensions), PEM files, or directories containing those files that will be used as a system truststore. diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testImportHelp.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testImportHelp.approved.txt index 873ab40cab7..bb02c10120f 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testImportHelp.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testImportHelp.approved.txt @@ -147,8 +147,8 @@ Truststore: --tls-hostname-verifier The TLS hostname verification policy for out-going HTTPS and SMTP requests. - Possible values are: ANY, WILDCARD (deprecated), STRICT (deprecated), - DEFAULT. Default: DEFAULT. + ANY should not be used in production. Possible values are: ANY, WILDCARD + (deprecated), STRICT (deprecated), DEFAULT. Default: DEFAULT. --truststore-paths List of pkcs12 (p12 or pfx file extensions), PEM files, or directories containing those files that will be used as a system truststore. diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testImportHelpAll.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testImportHelpAll.approved.txt index a933e339b3b..ee01dd069d5 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testImportHelpAll.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testImportHelpAll.approved.txt @@ -245,8 +245,8 @@ Truststore: --tls-hostname-verifier The TLS hostname verification policy for out-going HTTPS and SMTP requests. - Possible values are: ANY, WILDCARD (deprecated), STRICT (deprecated), - DEFAULT. Default: DEFAULT. + ANY should not be used in production. Possible values are: ANY, WILDCARD + (deprecated), STRICT (deprecated), DEFAULT. Default: DEFAULT. --truststore-paths List of pkcs12 (p12 or pfx file extensions), PEM files, or directories containing those files that will be used as a system truststore. diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.approved.txt index 14734a3f875..897e5f69228 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.approved.txt @@ -318,8 +318,8 @@ Truststore: --tls-hostname-verifier The TLS hostname verification policy for out-going HTTPS and SMTP requests. - Possible values are: ANY, WILDCARD (deprecated), STRICT (deprecated), - DEFAULT. Default: DEFAULT. + ANY should not be used in production. Possible values are: ANY, WILDCARD + (deprecated), STRICT (deprecated), DEFAULT. Default: DEFAULT. --truststore-paths List of pkcs12 (p12 or pfx file extensions), PEM files, or directories containing those files that will be used as a system truststore. diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.approved.txt index f62129cbc57..67adfb07bc6 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.approved.txt @@ -451,8 +451,8 @@ Truststore: --tls-hostname-verifier The TLS hostname verification policy for out-going HTTPS and SMTP requests. - Possible values are: ANY, WILDCARD (deprecated), STRICT (deprecated), - DEFAULT. Default: DEFAULT. + ANY should not be used in production. Possible values are: ANY, WILDCARD + (deprecated), STRICT (deprecated), DEFAULT. Default: DEFAULT. --truststore-paths List of pkcs12 (p12 or pfx file extensions), PEM files, or directories containing those files that will be used as a system truststore. diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.approved.txt index 03aa2f3449b..cc9799de142 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.approved.txt @@ -319,8 +319,8 @@ Truststore: --tls-hostname-verifier The TLS hostname verification policy for out-going HTTPS and SMTP requests. - Possible values are: ANY, WILDCARD (deprecated), STRICT (deprecated), - DEFAULT. Default: DEFAULT. + ANY should not be used in production. Possible values are: ANY, WILDCARD + (deprecated), STRICT (deprecated), DEFAULT. Default: DEFAULT. --truststore-paths List of pkcs12 (p12 or pfx file extensions), PEM files, or directories containing those files that will be used as a system truststore. diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.approved.txt index 8512d1d7f12..5971f34a846 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.approved.txt @@ -452,8 +452,8 @@ Truststore: --tls-hostname-verifier The TLS hostname verification policy for out-going HTTPS and SMTP requests. - Possible values are: ANY, WILDCARD (deprecated), STRICT (deprecated), - DEFAULT. Default: DEFAULT. + ANY should not be used in production. Possible values are: ANY, WILDCARD + (deprecated), STRICT (deprecated), DEFAULT. Default: DEFAULT. --truststore-paths List of pkcs12 (p12 or pfx file extensions), PEM files, or directories containing those files that will be used as a system truststore. diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelp.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelp.approved.txt index e0b7d261a72..f0dcb1b134f 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelp.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelp.approved.txt @@ -270,8 +270,8 @@ Truststore: --tls-hostname-verifier The TLS hostname verification policy for out-going HTTPS and SMTP requests. - Possible values are: ANY, WILDCARD (deprecated), STRICT (deprecated), - DEFAULT. Default: DEFAULT. + ANY should not be used in production. Possible values are: ANY, WILDCARD + (deprecated), STRICT (deprecated), DEFAULT. Default: DEFAULT. --truststore-paths List of pkcs12 (p12 or pfx file extensions), PEM files, or directories containing those files that will be used as a system truststore. diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelpAll.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelpAll.approved.txt index 08645b9f7f8..f607852cef9 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelpAll.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelpAll.approved.txt @@ -392,8 +392,8 @@ Truststore: --tls-hostname-verifier The TLS hostname verification policy for out-going HTTPS and SMTP requests. - Possible values are: ANY, WILDCARD (deprecated), STRICT (deprecated), - DEFAULT. Default: DEFAULT. + ANY should not be used in production. Possible values are: ANY, WILDCARD + (deprecated), STRICT (deprecated), DEFAULT. Default: DEFAULT. --truststore-paths List of pkcs12 (p12 or pfx file extensions), PEM files, or directories containing those files that will be used as a system truststore. diff --git a/services/src/main/java/org/keycloak/truststore/JSSETruststoreConfigurator.java b/services/src/main/java/org/keycloak/truststore/JSSETruststoreConfigurator.java index 3bbc12dc5aa..6904797f41f 100755 --- a/services/src/main/java/org/keycloak/truststore/JSSETruststoreConfigurator.java +++ b/services/src/main/java/org/keycloak/truststore/JSSETruststoreConfigurator.java @@ -17,15 +17,12 @@ package org.keycloak.truststore; -import org.keycloak.common.enums.HostnameVerificationPolicy; -import org.keycloak.models.KeycloakSession; -import org.keycloak.models.KeycloakSessionFactory; - -import java.security.cert.X509Certificate; import javax.net.ssl.SSLContext; import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; -import javax.net.ssl.X509TrustManager; + +import org.keycloak.models.KeycloakSession; +import org.keycloak.models.KeycloakSessionFactory; /** * @author Marko Strukelj @@ -76,22 +73,6 @@ public class JSSETruststoreConfigurator { return null; } - if (getProvider().getPolicy() == HostnameVerificationPolicy.ANY) { - return new TrustManager[] { - new X509TrustManager() { - public X509Certificate[] getAcceptedIssuers() { - return new X509Certificate[0]; - } - - public void checkClientTrusted(X509Certificate[] certs, String authType) { - } - - public void checkServerTrusted(X509Certificate[] certs, String authType) { - } - } - }; - } - if (tm == null) { synchronized (this) { if (tm == null) { diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/ssl/TrustStoreEmailTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/ssl/TrustStoreEmailTest.java index 249025ec86a..239d045fc1a 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/ssl/TrustStoreEmailTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/ssl/TrustStoreEmailTest.java @@ -18,8 +18,10 @@ package org.keycloak.testsuite.ssl; import org.jboss.arquillian.graphene.page.Page; import org.junit.After; +import org.junit.FixMethodOrder; import org.junit.Rule; import org.junit.Test; +import org.junit.runners.MethodSorters; import org.keycloak.admin.client.resource.UserResource; import org.keycloak.common.enums.HostnameVerificationPolicy; import org.keycloak.events.Details; @@ -49,6 +51,7 @@ import static org.keycloak.testsuite.util.URLAssert.assertCurrentUrlStartsWith; * * @author fkiss */ +@FixMethodOrder(MethodSorters.NAME_ASCENDING) public class TrustStoreEmailTest extends AbstractTestRealmKeycloakTest { @Page @@ -145,12 +148,7 @@ public class TrustStoreEmailTest extends AbstractTestRealmKeycloakTest { } @Test - public void verifyEmailWithSslEnabled() { - verifyEmailWithSslEnabled(false); - } - - @Test - public void verifyEmailWithSslWrongCertificate() throws Exception { + public void test01VerifyEmailWithSslWrongCertificate() throws Exception { UserRepresentation user = ApiUtil.findUserByUsername(testRealm(), "test-user@localhost"); SslMailServer.startWithSsl(this.getClass().getClassLoader().getResource(SslMailServer.INVALID_KEY).getFile()); @@ -175,7 +173,17 @@ public class TrustStoreEmailTest extends AbstractTestRealmKeycloakTest { } @Test - public void verifyEmailWithSslWrongHostname() throws Exception { + public void test02VerifyEmailWithSslWrongCertificateAndAnyHostnamePolicy() throws Exception { + testingClient.testing().modifyTruststoreSpiHostnamePolicy(HostnameVerificationPolicy.ANY); + try { + test01VerifyEmailWithSslWrongCertificate(); + } finally { + testingClient.testing().reenableTruststoreSpi(); + } + } + + @Test + public void test03erifyEmailWithSslWrongHostname() throws Exception { UserRepresentation user = ApiUtil.findUserByUsername(testRealm(), "test-user@localhost"); try (RealmAttributeUpdater updater = new RealmAttributeUpdater(testRealm()) @@ -204,19 +212,24 @@ public class TrustStoreEmailTest extends AbstractTestRealmKeycloakTest { } @Test - public void verifyEmailWithSslWrongHostnameButAnyHostnamePolicy() throws Exception { + public void test04VerifyEmailWithSslEnabled() { + verifyEmailWithSslEnabled(false); + } + + @Test + public void test05VerifyEmailWithSslWrongHostnameButAnyHostnamePolicy() throws Exception { testingClient.testing().modifyTruststoreSpiHostnamePolicy(HostnameVerificationPolicy.ANY); try (RealmAttributeUpdater updater = new RealmAttributeUpdater(testRealm()) .setSmtpServer("host", "localhost.localdomain") .update()) { - verifyEmailWithSslEnabled(); + test04VerifyEmailWithSslEnabled(); } finally { testingClient.testing().reenableTruststoreSpi(); } } @Test - public void verifyEmailOpportunisticEncryptionWithAnyHostnamePolicy() throws Exception { + public void test06VerifyEmailOpportunisticEncryptionWithAnyHostnamePolicy() throws Exception { testingClient.testing().modifyTruststoreSpiHostnamePolicy(HostnameVerificationPolicy.ANY); try (RealmAttributeUpdater updater = new RealmAttributeUpdater(testRealm()) .setSmtpServer("host", "localhost.localdomain") diff --git a/testsuite/integration-arquillian/tests/base/src/test/resources/keystore/email_invalid.jks b/testsuite/integration-arquillian/tests/base/src/test/resources/keystore/email_invalid.jks index e940f190cf2..b1193fc96c8 100644 Binary files a/testsuite/integration-arquillian/tests/base/src/test/resources/keystore/email_invalid.jks and b/testsuite/integration-arquillian/tests/base/src/test/resources/keystore/email_invalid.jks differ