hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Feroze Daud <khic...@yahoo.com.INVALID>
Subject Re: Sample code for sending SNI request ?
Date Tue, 16 Sep 2014 21:15:11 GMT
Ok, I enabled SSL. I have attached the trace here.

You will notice that the server is sending an expired cert with a CommonName that does not
match. It does this because the client is not supporting SNI. If the client supported SNI
in the request, it would get back a valid cert. I have verified this by using openssl.

$ openssl s_client -connect thecascadeteam.com:443 -CApath /etc/ssl/certs/ -verify 3 </dev/null
vs
$ openssl s_client -servername thecascadeteam.com -connect thecascadeteam.com:443 -CApath
/etc/ssl/certs/ -verify 3 </dev/null


Here is the java ssl trace...

--
2014-09-16 14:11:35,534 DEBUG [org.apache.http.client.protocol.RequestAddCookies] CookieSpec
selected: best-match
2014-09-16 14:11:35,542 DEBUG [org.apache.http.client.protocol.RequestAuthCache] Auth cache
not set in the context
2014-09-16 14:11:35,543 DEBUG [org.apache.http.impl.conn.PoolingHttpClientConnectionManager]
Connection request: [route: {s}->https://thecascadeteam.com:443][total kept alive: 0; route
allocated: 0 of 2; t
otal allocated: 0 of 20]
2014-09-16 14:11:35,555 DEBUG [org.apache.http.impl.conn.PoolingHttpClientConnectionManager]
Connection leased: [id: 0][route: {s}->https://thecascadeteam.com:443][total kept alive:
0; route allocated: 1 o
f 2; total allocated: 1 of 20]
2014-09-16 14:11:35,557 DEBUG [org.apache.http.impl.execchain.MainClientExec] Opening connection
{s}->https://thecascadeteam.com:443
2014-09-16 14:11:35,561 DEBUG [org.apache.http.impl.conn.HttpClientConnectionOperator] Connecting
to thecascadeteam.com/67.192.9.195:443
%% No cached client session
*** ClientHello, TLSv1
RandomCookie:  GMT: 1410836103 bytes = { 53, 159, 40, 146, 236, 242, 175, 2, 166, 3, 9, 55,
226, 31, 234, 169, 19, 210, 40, 218, 171, 35, 143, 184, 100, 158, 235, 34 }
Session ID:  {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA,
SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods:  { 0 }
***
main, WRITE: TLSv1 Handshake, length = 73
main, WRITE: SSLv2 client hello message, length = 98
main, READ: TLSv1 Handshake, length = 74
*** ServerHello, TLSv1
RandomCookie:  GMT: 1410836327 bytes = { 198, 77, 174, 100, 73, 26, 132, 180, 245, 186, 47,
22, 55, 16, 198, 23, 59, 170, 128, 5, 218, 201, 155, 25, 251, 144, 121, 72 }
Session ID:  {22, 217, 38, 43, 7, 55, 250, 251, 55, 24, 226, 93, 181, 78, 236, 75, 124, 171,
133, 232, 25, 243, 11, 17, 91, 17, 188, 189, 57, 110, 141, 7}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
***
%% Created:  [Session-1, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
main, READ: TLSv1 Handshake, length = 961
*** Certificate chain
chain [0] = [
[
  Version: V1
  Subject: EMAILADDRESS=info@parallels.com, CN=Parallels Panel, OU=Parallels Panel, O=Parallels,
L=Herndon, ST=Virginia, C=US
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus: 22994848279003529171322105433938759692822368732063903858368610748237449317173695122042003543720092746063068746474747884306012432118319515853223774859373616146120409956200887652475628189917992056313693430544210353036408390857370759005878081225289165354730634374570719587192535639763296254739754725160784306213910726454521387775388272582309040417978045387494996137933929788285594968884535129242018182621780947121544427423338488946335683351244045300489225415934921014022147851916526797101050369604962368275336285529959135638317876855822130673248503921048649567555227883256430711156119763110383403686414663712772558427109
  public exponent: 65537
  Validity: [From: Thu Apr 04 13:53:59 PDT 2013,
               To: Fri Apr 04 13:53:59 PDT 2014]
  Issuer: EMAILADDRESS=info@parallels.com, CN=Parallels Panel, OU=Parallels Panel, O=Parallels,
L=Herndon, ST=Virginia, C=US
  SerialNumber: [    515de867]

]
  Algorithm: [SHA1withRSA]
  Signature:
--


On Tuesday, September 16, 2014 2:08 AM, Oleg Kalnichevski <olegk@apache.org> wrote:
 


On Mon, 2014-09-15 at 14:36 -0700, Feroze Daud wrote:

> hi!
> 
> We are using httpcomponents v 4.3.5. Last year there was a bug on the topic of supporting
SNI on JDK7, and a patch was made in late december. The ship vehicle for the patch was 4.3.2.
> 
> However, I cannot find any example that shows how to enable this for the http client.
> 
> Please point me to some info. I can volunteer to fix the documentation with the details
so that it might help others in the future.
> 
> Thanks.

Feroze,

SNI should work completely transparently when running on Java 1.7 or
newer. No configuration is required. If for whatever reason SSL
handshake with SNI enabled server fails you should be able to find out
why (and whether or not the SNI extension was properly employed) by
turning on SSL debug logging as described here

http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/ReadDebug.html
http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#Debug


Oleg
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message