hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bruno Harbulot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HTTPCLIENT-1119) Server Name Indication (SNI) Support
Date Wed, 18 Sep 2013 12:16:53 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13770705#comment-13770705

Bruno Harbulot commented on HTTPCLIENT-1119:


Indeed, in principle, it could work using the host from {{InetAddress}}, but it doesn't. I
guess it's there to capture the intent. {{InetAddress.getHostName()}} does retain the host
name, but it also does a reverse lookup if it came from an IP address, which may not have
been the intent.

Try the two snippets of code above and look at the {{Client Hello}} message with Wireshark,
you'll see only the first one has the {{server_name}} extension.

If you look at the [{{SSLSocketImpl}} source code|http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/7-b147/sun/security/ssl/SSLSocketImpl.java],
only the methods that have {{String host}} parameters set the internal {{host}} name used
for SNI.

(Similarly, for {{SSLEngine}}, you need to create it with {{SSLContext.createSSLEngine(String
peerHost, int peerPort)}} instead of {{SSLContext.createSSLEngine()}}: the host name and port
are just used as an indication and are not necessarily linked to what's actually used for
the connection by the channels.)
> Server Name Indication (SNI) Support
> ------------------------------------
>                 Key: HTTPCLIENT-1119
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1119
>             Project: HttpComponents HttpClient
>          Issue Type: Improvement
>          Components: HttpClient
>            Reporter: Gus Power
>              Labels: sni, ssl, tls, vhost
>             Fix For: Future
>         Attachments: HTTPCLIENT-1119-support-SNI-on-Java-7-via-setHost-of.patch
> Provide support for Server Name Indication (SNI) support as per RFC 3546 (section 3.1).
> Currently attempting to connect to SNI enabled host 'expectedhost' over SSL using http
client results in an SSLException similar to:
> javax.net.ssl.SSLException: hostname in certificate didn't match: <expectedhost>
!= <defaulthost>
>   at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:220)
> We use SNI on some of our environments and were trying to use httpclient to automatically
test host access and availability.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org

View raw message