choosing wrong server certificate

[jamieb22]

I managed to get Wildfly-openssl working, but there were a couple of issues along the way. One such issue is that it chose the wrong server certificate for submission to client. It doesn't appear to call chooseServerAlias(..) method to match the selected alias in the KeyManager. Rather, it just calls keyManager.getServerAliases()..and takes the first alias on the list. This could very well create incompatibilities, esp. in scenarios where multiple certs are installed, some of which are not intended for presentation to the client.

[jaikiran]

@jamieb22, I am not an expert in this area, but my reading of the code and the understanding of the getServerAliases and chooseServerAlias API suggests that the current implementation in WildFly OpenSSL will end up using the first in the list of returned aliases. This first one is expected to be the most perfect matched alias, from what I understand of the API. If we do use chooseServerAlias instead, I suspect that too will end up returning this same alias.

Is there some specific scenario where this is returning a wrong/unexpected cert alias?

[jamieb22]

There is a subtle difference in semantics between getServerAliases() and chooseServerAlias(). getServerAliases() simply returns all matching aliases, chooseServerAlias() asks the KeyManager to actually go ahead and select one for presentation to the client. Likewise, for client.

Our custom KeyManager overrides chooseServerAlias to select desired certificate by alias. To ensure compatibility with Wildfly, we needed to ensure that the first alias returned by getServerAliases() would be desired one. Its not a train smash for us, since this subtle difference is easily accounted for, but the behaviour is different when compared to JSSE.