hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bruno Harbulot (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HTTPCLIENT-1119) Server Name Indication (SNI) Support
Date Wed, 16 Oct 2013 12:17:53 GMT

     [ https://issues.apache.org/jira/browse/HTTPCLIENT-1119?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Bruno Harbulot updated HTTPCLIENT-1119:

    Attachment: apache_httpclient_4.2.x_sni.patch

Here is a patch to support SNI (when using Java 7) with Apache HttpClient 4.2.x. This doesn't
require any changes from the user's point of view, doesn't use any reflection or any code
specific to Java 7 (it will simply not use SNI with a JRE that doesn't support it).

Here is a bit of background. To get client-side support with Java 7 (at least with JREs that
are based on the OpenJDK), the {{SSLSocket}} must be created using one of the {{createSocket}}
methods that take use the {{String host}} (*not* the {{InetAddress host}}) parameter.

In particular, this causes problems, because of the way HttpClient first creates the (non-connected)
socket, changes some of its settings, and only connects it later.

This patch addresses this problem by creating a normal {{Socket}} in all cases, thereby allowing
HttpClient to make any setting to the socket before connection (timeout, local address re-use,
...), and then make use of {{SSLSocketFactory.createSocket(Socket s, String host, int port,
boolean autoClose)}}, which will make use of SNI when available.

I had made a [first attempt|https://github.com/harbulot/httpclient/commits/4.2.x_sni_experiment1]
to change this by re-ordering some of the content of the {{connectSocket}} method in HttpClient's
{{SSLSocketFactory}}. This worked, but was unsatisfactory because this would prevent some
parameters to be set before connect the connection (this would affect the timeout setting
before connection as well as the ability to use {{sock.setReuseAddress}} when the local address
needs to be re-used).

> Server Name Indication (SNI) Support
> ------------------------------------
>                 Key: HTTPCLIENT-1119
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1119
>             Project: HttpComponents HttpClient
>          Issue Type: Improvement
>          Components: HttpClient
>            Reporter: Gus Power
>              Labels: sni, ssl, tls, vhost
>             Fix For: Future
>         Attachments: apache_httpclient_4.2.x_sni.patch, HTTPCLIENT-1119-support-SNI-on-Java-7-via-setHost-of.patch
> Provide support for Server Name Indication (SNI) support as per RFC 3546 (section 3.1).
> Currently attempting to connect to SNI enabled host 'expectedhost' over SSL using http
client results in an SSLException similar to:
> javax.net.ssl.SSLException: hostname in certificate didn't match: <expectedhost>
!= <defaulthost>
>   at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:220)
> We use SNI on some of our environments and were trying to use httpclient to automatically
test host access and availability.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org

View raw message