You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Bruno Harbulot (JIRA)" <ji...@apache.org> on 2013/09/17 22:21:57 UTC

[jira] [Commented] (HTTPCLIENT-1119) Server Name Indication (SNI) Support

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13769887#comment-13769887 ] 

Bruno Harbulot commented on HTTPCLIENT-1119:
--------------------------------------------

(I've just seen the initial patch: it's quite clearly confusing SNI with host name verification. As it as already been said, SNI happens at the TLS level and has nothing to with host name verification: making the error disappear by tweaking the host name verifier is only a side-effect.)

A simpler way to have SNI support would be to use the socket methods that use the name instead of the address.

The following code (which doesn't rely on reflection tricks and would work on Java 6) would enable SNI with Java 7 (but not Java 6, of course):

{code:java}
javax.net.ssl.SSLSocketFactory ssf = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket socket = (SSLSocket) ssf.createSocket("www.google.com", 443);
{code}

The following code _would not_:

{code:java}
SSLSocket socket = (SSLSocket) ssf.createSocket(InetAddress.getByName("www.google.com"), 443);
{code}

When using an {{InetAddress}}, the host name information is lost. This is what prevents SNI from being used.

Perhaps letting the socket API do the DNS resolution whenever possible would be a simpler way to fix this altogether.
                
> Server Name Indication (SNI) Support
> ------------------------------------
>
>                 Key: HTTPCLIENT-1119
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1119
>             Project: HttpComponents HttpClient
>          Issue Type: Improvement
>          Components: HttpClient
>            Reporter: Gus Power
>              Labels: sni, ssl, tls, vhost
>             Fix For: Future
>
>         Attachments: HTTPCLIENT-1119-support-SNI-on-Java-7-via-setHost-of.patch
>
>
> Provide support for Server Name Indication (SNI) support as per RFC 3546 (section 3.1).
> Currently attempting to connect to SNI enabled host 'expectedhost' over SSL using http client results in an SSLException similar to:
> javax.net.ssl.SSLException: hostname in certificate didn't match: <expectedhost> != <defaulthost>
>   at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:220)
> We use SNI on some of our environments and were trying to use httpclient to automatically test host access and availability.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org