hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Will Norris (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HTTPCLIENT-1119) Server Name Indication (SNI) Support
Date Fri, 15 Feb 2013 17:41:12 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13579353#comment-13579353
] 

Will Norris commented on HTTPCLIENT-1119:
-----------------------------------------

Adding support for SNI has no bearing on how that certificate is validated, with the exception
that the *lack* of SNI support encourages developers to turn of host verification altogether
in order to get things to work.  Adding support for SNI will in fact *increase* the ability
to have secure applications.  And while i'm not intimately familiar with how HttpClient does
cert validation, I suspect that simply switching out the hostname verifier is not sufficient,
as SNI requires the desired hostname to be specified in the initial handshake.

Regarding the mention of Android and HttpClient earlier in this thread, see http://android-developers.blogspot.com/2011/09/androids-http-clients.html.
 Most specifically, the very last line: "New applications should use HttpURLConnection; it
is where we will be spending our energy going forward."
                
> Server Name Indication (SNI) Support
> ------------------------------------
>
>                 Key: HTTPCLIENT-1119
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1119
>             Project: HttpComponents HttpClient
>          Issue Type: Improvement
>          Components: HttpClient
>            Reporter: Gus Power
>              Labels: sni, ssl, tls, vhost
>             Fix For: Future
>
>         Attachments: HTTPCLIENT-1119-support-SNI-on-Java-7-via-setHost-of.patch
>
>
> Provide support for Server Name Indication (SNI) support as per RFC 3546 (section 3.1).
> Currently attempting to connect to SNI enabled host 'expectedhost' over SSL using http
client results in an SSLException similar to:
> javax.net.ssl.SSLException: hostname in certificate didn't match: <expectedhost>
!= <defaulthost>
>   at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:220)
> We use SNI on some of our environments and were trying to use httpclient to automatically
test host access and availability.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message