hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bruno Harbulot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HTTPCLIENT-1119) Server Name Indication (SNI) Support
Date Wed, 18 Sep 2013 12:16:53 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13770705#comment-13770705
] 

Bruno Harbulot commented on HTTPCLIENT-1119:
--------------------------------------------

@Oleg:

Indeed, in principle, it could work using the host from {{InetAddress}}, but it doesn't. I
guess it's there to capture the intent. {{InetAddress.getHostName()}} does retain the host
name, but it also does a reverse lookup if it came from an IP address, which may not have
been the intent.

Try the two snippets of code above and look at the {{Client Hello}} message with Wireshark,
you'll see only the first one has the {{server_name}} extension.

If you look at the [{{SSLSocketImpl}} source code|http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/7-b147/sun/security/ssl/SSLSocketImpl.java],
only the methods that have {{String host}} parameters set the internal {{host}} name used
for SNI.

(Similarly, for {{SSLEngine}}, you need to create it with {{SSLContext.createSSLEngine(String
peerHost, int peerPort)}} instead of {{SSLContext.createSSLEngine()}}: the host name and port
are just used as an indication and are not necessarily linked to what's actually used for
the connection by the channels.)
                
> Server Name Indication (SNI) Support
> ------------------------------------
>
>                 Key: HTTPCLIENT-1119
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1119
>             Project: HttpComponents HttpClient
>          Issue Type: Improvement
>          Components: HttpClient
>            Reporter: Gus Power
>              Labels: sni, ssl, tls, vhost
>             Fix For: Future
>
>         Attachments: HTTPCLIENT-1119-support-SNI-on-Java-7-via-setHost-of.patch
>
>
> Provide support for Server Name Indication (SNI) support as per RFC 3546 (section 3.1).
> Currently attempting to connect to SNI enabled host 'expectedhost' over SSL using http
client results in an SSLException similar to:
> javax.net.ssl.SSLException: hostname in certificate didn't match: <expectedhost>
!= <defaulthost>
>   at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:220)
> We use SNI on some of our environments and were trying to use httpclient to automatically
test host access and availability.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message