hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bruno Harbulot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HTTPCLIENT-1119) Server Name Indication (SNI) Support
Date Wed, 16 Oct 2013 14:13:42 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13796819#comment-13796819
] 

Bruno Harbulot commented on HTTPCLIENT-1119:
--------------------------------------------

I agree this is not very well documented, but I think this makes sense.

I think they just require the host name to be passed as a {{String}}, to prevent problems
when trying to get the host name from {{InetAddress}}. Indeed, {{InetAddress.getHostName()}}
doesn't necessarily return the initial argument to {{InetAddress.getByName(...)}} (for example,
if it's an IP address in text form, which is allowed according to the documentation).

Since there is no direct way to set the host once the socket is created (in the public API
of {{SSLSocket}}), this seemed to have been a way to implement SNI in a way that disrupted
the public API the least.

Unfortunately, all of the {{javax.net.ssl.SSLSocketFactory.createSocket(...)}} methods that
create a socket using a {{String}} parameter to pass the host name also connect this socket
immediately, _except_ the one that overlays the {{SSLSocket}} on top of a plain {{Socket}}.

Since Apache HttpClient uses its sockets in such a way that they cannot be created and connected
in the same call to the JRE's socket factory, using a plain socket first makes this work,
because it's the only way to make use of a suitable {{j.n.s.SSLSocketFactory.createSocket(...)}}
method, after the socket creation.

Another way to achieve this would be to change the Apache HttpClient API in such a way that
it doesn't have to rely on separate calls to {{createSocket}} and {{connectSocket}} of its
own socket factories, but this would certainly be a more disruptive change in Apache HttpClient.

I'll try this patch with HC 4.3 shortly.

> Server Name Indication (SNI) Support
> ------------------------------------
>
>                 Key: HTTPCLIENT-1119
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1119
>             Project: HttpComponents HttpClient
>          Issue Type: Improvement
>          Components: HttpClient
>            Reporter: Gus Power
>              Labels: sni, ssl, tls, vhost
>             Fix For: Future
>
>         Attachments: apache_httpclient_4.2.x_sni.patch, HTTPCLIENT-1119-support-SNI-on-Java-7-via-setHost-of.patch
>
>
> Provide support for Server Name Indication (SNI) support as per RFC 3546 (section 3.1).
> Currently attempting to connect to SNI enabled host 'expectedhost' over SSL using http
client results in an SSLException similar to:
> javax.net.ssl.SSLException: hostname in certificate didn't match: <expectedhost>
!= <defaulthost>
>   at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:220)
> We use SNI on some of our environments and were trying to use httpclient to automatically
test host access and availability.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message