MB_JETTY_SKIP_SNI evaluating env variable as string instead of bool, always evaluating to truthy if set #42435
Labels
.Backend
Operation/Environment variables
Priority:P1
Security holes w/o exploit, crashing, setup/upgrade, login, broken common features, correctness
.Team/AdminWebapp
Admin and Webapp team
Type:Bug
Product defects
Describe the bug
Setting
MB_JETTY_SKIP_SNI
always evaluates tofalse
if unset and always evaluates totrue
if set becauseconfig/config-str
being used instead ofconfig/config-bool
for:mb-jetty-skip-sni
.To Reproduce
YOUR.HOSTNAME
with your hostname (can't be localhost and requires at least one.
in the hostname. (May need to add a line to your/etc/hosts
when using 127.0.0.1.)# leave all prompted values for CN, CO, ST, etc. blank $ keytool -keystore selfsigned-ip-cn-and-san-nohost.jks -storepass storepass -genkeypair -keyalg RSA -validity 365
MB_JETTY_SKIP_SNI
to any value (e.g.false
,"false"
,true
,"true"
,abc123
)MB_JETTY_SKIP_SNI=false
in the .env file which defaults to false and should see an SNI error since the hostname won't match the certificateExpected behavior
:mb-jetty-skip-sni
tofalse
and enable SNI:MB_JETTY_SKIP_SNI=false
MB_JETTY_SKIP_SNI="false"
MB_JETTY_SKIP_SNI
in the .env:mb-jetty-skip-sni
to true and disable SNI:MB_JETTY_SKIP_SNI=true
MB_JETTY_SKIP_SNI="true"
Logs
If SNI enabled and hostname doesn't match certificate, then expect to see below in logs:
If SNI disabled, expect to see nothing unusual in the logs
Information about your Metabase installation
Severity
P1: Users unable to explicitly set MB_JETTY_SKIP_SNI to false
MB_JETTY_SKIP_SNI=false
explicitly requiring SNI to address a risk and SNI would be disabled, and there may be no indication to administrator that it was not working unless they tried to verify it which would be unusual.Additional context
https://metaboat.slack.com/archives/C052ZBWRG3W/p1715096284142429
The text was updated successfully, but these errors were encountered: