hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John Vasileff (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HTTPCLIENT-1119) Server Name Indication (SNI) Support
Date Fri, 15 Feb 2013 16:11:15 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13579273#comment-13579273
] 

John Vasileff commented on HTTPCLIENT-1119:
-------------------------------------------

Oleg,

My understanding is that SNI's sole purpose is to support multiple https sites on a single
IP, and it is not to either increase or decrease the level of security. Sending the domain
name over the wire in an SNI scenario is nearly equivalent information to the IP address of
the web host in a single web site per IP scenario. If other platforms have standardized on
supporting SNI, why shouldn't the Java universe? The world is stuck with one-site-per-IPv4-address
until support for SNI is ubiquitous.

Is the real issue the use of reflection in the offered patch, or a desire to not use SNI by
default? If the former, any suggestions to work around this? I haven't looked at the code,
but along the lines of what Josef asked, do you have a hunch as to the effort of implementing
this without reflection or generally what must be done? Is the argument against reflection
performance or aesthetics?

John
                
> Server Name Indication (SNI) Support
> ------------------------------------
>
>                 Key: HTTPCLIENT-1119
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1119
>             Project: HttpComponents HttpClient
>          Issue Type: Improvement
>          Components: HttpClient
>            Reporter: Gus Power
>              Labels: sni, ssl, tls, vhost
>             Fix For: Future
>
>         Attachments: HTTPCLIENT-1119-support-SNI-on-Java-7-via-setHost-of.patch
>
>
> Provide support for Server Name Indication (SNI) support as per RFC 3546 (section 3.1).
> Currently attempting to connect to SNI enabled host 'expectedhost' over SSL using http
client results in an SSLException similar to:
> javax.net.ssl.SSLException: hostname in certificate didn't match: <expectedhost>
!= <defaulthost>
>   at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:220)
> We use SNI on some of our environments and were trying to use httpclient to automatically
test host access and availability.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message