You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@camel.apache.org by Ioannis Mavroukakis <im...@gmail.com> on 2016/02/22 14:56:36 UTC
How do I access the SNI extension in HTTP4?
Hello everyone.
I've been banging my head against a brick wall trying to figure out a
way to configure SNI on the http4 component.
According to
https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#SNIExtension
the way to do it is as follows (emphasis, mine)
> SSLEngine sslEngine = sslContext.createSSLEngine("172.16.10.6", 443);
> SNIHostName serverName = new SNIHostName("www.example.com");
> List<SNIServerName> serverNames = new ArrayList<>(1);
> serverNames.add(serverName);
> sslEngine.setSSLParameters(params);
For the life of my however, I cannot figure out a way to do this, either
via the DSL (preferable) or programmatically. With respects to the
programmatic configuration, should I be using HttpClientConfigurer ?
TIA,
Ioannis
Re: How do I access the SNI extension in HTTP4?
Posted by Ioannis Mavroukakis <im...@gmail.com>.
I finally worked it out. For anyone else who might be interested, this
is how it needs to be done
@Override
public void configureHttpClient(HttpClientBuilder clientBuilder) {
try {
SSLContext sslContext = getSSLContext(keyStore, password);
SSLConnectionSocketFactory sslConnectionSocketFactory = new
SNISupportSSLConnectionSocketFactory(sslContext, NOOP_HOSTNAME_VERIFIER);
Registry<ConnectionSocketFactory>
connectionSocketFactoryRegistry =
RegistryBuilder.<ConnectionSocketFactory>create().register("http",
PlainConnectionSocketFactory.getSocketFactory())
.register("https", sslConnectionSocketFactory).build();
HttpClientConnectionManager connectionManager = new
PoolingHttpClientConnectionManager(connectionSocketFactoryRegistry);
clientBuilder.setConnectionManager(connectionManager);
clientBuilder.setDefaultHeaders(Collections.singleton(SNI_HOST_HEADER));
} catch (Exception e) {
throw new RuntimeCamelException(e);
}
}
protected SSLContext getSSLContext(KeyStore keyStore, char[]
password) throws Exception {
KeyManagerFactory keyManagerFactory =
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, password);
TrustManagerFactory trustManagerFactory =
TrustManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(keyStore);
SSLContext sslcontext = SSLContext.getInstance("SSL");
sslcontext.init(keyManagerFactory.getKeyManagers(),
trustManagerFactory.getTrustManagers(), new SecureRandom());
return sslcontext;
}
private static final class SNISupportSSLConnectionSocketFactory
extends SSLConnectionSocketFactory {
public SNISupportSSLConnectionSocketFactory(SSLContext
sslContext, HostnameVerifier hostnameVerifier) {
super(sslContext, hostnameVerifier);
}
@Override
protected void prepareSocket(SSLSocket socket) throws IOException {
List<SNIServerName> serverNames =
Collections.singletonList(SNI_HOST_NAME);
SSLParameters sslParameters = socket.getSSLParameters();
sslParameters.setServerNames(serverNames);
socket.setSSLParameters(sslParameters);
super.prepareSocket(socket);
}
}
Re: How do I access the SNI extension in HTTP4?
Posted by Ioannis Mavroukakis <im...@gmail.com>.
I've put this together
public class TestHttpClientConfigurer implements HttpClientConfigurer {
private static final File KEYSTORE = new
File("src/main/resources/config/certs/custom.jks");
private static final String PASSWORD = "password";
@Override
public void configureHttpClient(HttpClientBuilder clientBuilder) {
try {
KeyStore keyStore =
KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(new FileInputStream(KEYSTORE),
PASSWORD.toCharArray());
KeyStore trustStore =
KeyStore.getInstance(KeyStore.getDefaultType());
trustStore.load(new FileInputStream(KEYSTORE),
PASSWORD.toCharArray());
SSLContext sslContext = getSSLContext(keyStore,trustStore);
SSLConnectionSocketFactory sslConnectionSocketFactory = new
SSLConnectionSocketFactory(sslContext, new NoopHostnameVerifier()) {
@Override
protected void prepareSocket(SSLSocket socket) throws
IOException {
SNIHostName serverName = new
SNIHostName("www.example.com");
List<SNIServerName> serverNames = new ArrayList<>(1);
serverNames.add(serverName);
socket.getSSLParameters().setServerNames(serverNames);
super.prepareSocket(socket);
}
};
clientBuilder.setSSLSocketFactory(sslConnectionSocketFactory);
} catch (Exception e) {
e.printStackTrace();
}
}
protected SSLContext getSSLContext(KeyStore keyStore, KeyStore
trustStore) throws Exception {
KeyManagerFactory keyManagerFactory =
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, PASSWORD.toCharArray());
TrustManagerFactory trustManagerFactory =
TrustManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(trustStore);
SSLContext sslcontext = SSLContext.getInstance("TLS");
sslcontext.init(keyManagerFactory.getKeyManagers(),
trustManagerFactory.getTrustManagers(), null);
return sslcontext;
}
}
And my route
https4://10.1.1.1:8301/post?httpClientConfigurer=testHttpClientConfigurer (registered
in Spring XML)
However, prepareSocket is never invoked, instead it's using the default
SSLConnectionSocketFactory..what am I missing?
TIA
- ioannis
> Ioannis Mavroukakis <ma...@gmail.com>
> 24 February 2016 at 10:42
> https://docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-7.html
>
> The link says "8" but the document mentions JDK 7
>
>
> Claus Ibsen <ma...@gmail.com>
> 24 February 2016 at 10:37
> The javadoc for that SNI says its since java 1.8. But take a 2nd look
> to be sure.
>
> Yeah I would assume somewhere with that configurer you can control all
> yourself. You may want to peak in the source of camel-http4 what
> happens and to give you an idea how to setup the security.
>
> You can of course also look at the http4 docs itself as that ought to
> help as well.
>
> On Wed, Feb 24, 2016 at 11:30 AM, Ioannis Mavroukakis
>
>
>
> Ioannis Mavroukakis <ma...@gmail.com>
> 24 February 2016 at 10:30
> Thanks Claus, isn't this a Java 7 feature though?
>
> I'm ok to try to do this manually, is the SSLContext something I could
> get to from HttpClientConfigurer?
>
>
> Claus Ibsen <ma...@gmail.com>
> 24 February 2016 at 09:26
> Hi
>
> I logged a ticket to get this support in Camel when we are Java 8+
> https://issues.apache.org/jira/browse/CAMEL-9638
>
> Not sure how you do this today, but you likely need to setup all this
> a bit manually and hook into http4 as a SslContext or something.
>
> On Mon, Feb 22, 2016 at 2:56 PM, Ioannis Mavroukakis
>
>
>
> Ioannis Mavroukakis <ma...@gmail.com>
> 22 February 2016 at 13:56
>
> Hello everyone.
>
> I've been banging my head against a brick wall trying to figure out a
> way to configure SNI on the http4 component.
>
> According to
> https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#SNIExtension
> the way to do it is as follows (emphasis, mine)
>
>
> For the life of my however, I cannot figure out a way to do this,
> either via the DSL (preferable) or programmatically. With respects to
> the programmatic configuration, should I be using HttpClientConfigurer ?
>
> TIA,
>
> Ioannis
>
Re: How do I access the SNI extension in HTTP4?
Posted by Ioannis Mavroukakis <im...@gmail.com>.
https://docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-7.html
The link says "8" but the document mentions JDK 7
> Claus Ibsen <ma...@gmail.com>
> 24 February 2016 at 10:37
> The javadoc for that SNI says its since java 1.8. But take a 2nd look
> to be sure.
>
> Yeah I would assume somewhere with that configurer you can control all
> yourself. You may want to peak in the source of camel-http4 what
> happens and to give you an idea how to setup the security.
>
> You can of course also look at the http4 docs itself as that ought to
> help as well.
>
> On Wed, Feb 24, 2016 at 11:30 AM, Ioannis Mavroukakis
>
>
>
> Claus Ibsen <ma...@gmail.com>
> 24 February 2016 at 09:26
> Hi
>
> I logged a ticket to get this support in Camel when we are Java 8+
> https://issues.apache.org/jira/browse/CAMEL-9638
>
> Not sure how you do this today, but you likely need to setup all this
> a bit manually and hook into http4 as a SslContext or something.
>
> On Mon, Feb 22, 2016 at 2:56 PM, Ioannis Mavroukakis
>
>
>
> Ioannis Mavroukakis <ma...@gmail.com>
> 22 February 2016 at 13:56
>
> Hello everyone.
>
> I've been banging my head against a brick wall trying to figure out a
> way to configure SNI on the http4 component.
>
> According to
> https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#SNIExtension
> the way to do it is as follows (emphasis, mine)
>
>
> For the life of my however, I cannot figure out a way to do this,
> either via the DSL (preferable) or programmatically. With respects to
> the programmatic configuration, should I be using HttpClientConfigurer ?
>
> TIA,
>
> Ioannis
>
Re: How do I access the SNI extension in HTTP4?
Posted by Claus Ibsen <cl...@gmail.com>.
The javadoc for that SNI says its since java 1.8. But take a 2nd look
to be sure.
Yeah I would assume somewhere with that configurer you can control all
yourself. You may want to peak in the source of camel-http4 what
happens and to give you an idea how to setup the security.
You can of course also look at the http4 docs itself as that ought to
help as well.
On Wed, Feb 24, 2016 at 11:30 AM, Ioannis Mavroukakis
<im...@gmail.com> wrote:
> Thanks Claus, isn't this a Java 7 feature though?
>
> I'm ok to try to do this manually, is the SSLContext something I could get
> to from HttpClientConfigurer?
>
>> Claus Ibsen <ma...@gmail.com>
>> 24 February 2016 at 09:26
>> Hi
>>
>> I logged a ticket to get this support in Camel when we are Java 8+
>> https://issues.apache.org/jira/browse/CAMEL-9638
>>
>> Not sure how you do this today, but you likely need to setup all this
>> a bit manually and hook into http4 as a SslContext or something.
>>
>> On Mon, Feb 22, 2016 at 2:56 PM, Ioannis Mavroukakis
>>
>>
>>
>> Ioannis Mavroukakis <ma...@gmail.com>
>> 22 February 2016 at 13:56
>>
>> Hello everyone.
>>
>> I've been banging my head against a brick wall trying to figure out a way
>> to configure SNI on the http4 component.
>>
>> According to
>> https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#SNIExtension
>> the way to do it is as follows (emphasis, mine)
>>
>>
>> For the life of my however, I cannot figure out a way to do this, either
>> via the DSL (preferable) or programmatically. With respects to the
>> programmatic configuration, should I be using HttpClientConfigurer ?
>>
>> TIA,
>>
>> Ioannis
>>
>
--
Claus Ibsen
-----------------
http://davsclaus.com @davsclaus
Camel in Action 2: https://www.manning.com/ibsen2
Re: How do I access the SNI extension in HTTP4?
Posted by Ioannis Mavroukakis <im...@gmail.com>.
Thanks Claus, isn't this a Java 7 feature though?
I'm ok to try to do this manually, is the SSLContext something I could
get to from HttpClientConfigurer?
> Claus Ibsen <ma...@gmail.com>
> 24 February 2016 at 09:26
> Hi
>
> I logged a ticket to get this support in Camel when we are Java 8+
> https://issues.apache.org/jira/browse/CAMEL-9638
>
> Not sure how you do this today, but you likely need to setup all this
> a bit manually and hook into http4 as a SslContext or something.
>
> On Mon, Feb 22, 2016 at 2:56 PM, Ioannis Mavroukakis
>
>
>
> Ioannis Mavroukakis <ma...@gmail.com>
> 22 February 2016 at 13:56
>
> Hello everyone.
>
> I've been banging my head against a brick wall trying to figure out a
> way to configure SNI on the http4 component.
>
> According to
> https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#SNIExtension
> the way to do it is as follows (emphasis, mine)
>
>
> For the life of my however, I cannot figure out a way to do this,
> either via the DSL (preferable) or programmatically. With respects to
> the programmatic configuration, should I be using HttpClientConfigurer ?
>
> TIA,
>
> Ioannis
>
Re: How do I access the SNI extension in HTTP4?
Posted by Claus Ibsen <cl...@gmail.com>.
Hi
I logged a ticket to get this support in Camel when we are Java 8+
https://issues.apache.org/jira/browse/CAMEL-9638
Not sure how you do this today, but you likely need to setup all this
a bit manually and hook into http4 as a SslContext or something.
On Mon, Feb 22, 2016 at 2:56 PM, Ioannis Mavroukakis
<im...@gmail.com> wrote:
>
> Hello everyone.
>
> I've been banging my head against a brick wall trying to figure out a way to
> configure SNI on the http4 component.
>
> According to
> https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#SNIExtension
> the way to do it is as follows (emphasis, mine)
>
>> SSLEngine sslEngine = sslContext.createSSLEngine("172.16.10.6", 443);
>> SNIHostName serverName = new SNIHostName("www.example.com");
>> List<SNIServerName> serverNames = new ArrayList<>(1);
>> serverNames.add(serverName);
>> sslEngine.setSSLParameters(params);
>
>
> For the life of my however, I cannot figure out a way to do this, either via
> the DSL (preferable) or programmatically. With respects to the programmatic
> configuration, should I be using HttpClientConfigurer ?
>
> TIA,
>
> Ioannis
>
--
Claus Ibsen
-----------------
http://davsclaus.com @davsclaus
Camel in Action 2: https://www.manning.com/ibsen2