SNI client-side mystery using Java8

by

This answer comes late, but we just have hit the problem (I can’t believe it, it seems a very big bug).

All what it said seems true, but it’s not default HostnameVerifier the culprit but the troubleshooter. When HttpsClient do afterConnect first try to establish setHost (only when socket is SSLSocketImpl):

SSLSocketFactory factory = sslSocketFactory;
try {
    if (!(serverSocket instanceof SSLSocket)) {
        s = (SSLSocket)factory.createSocket(serverSocket,
                                            host, port, true);
    } else {
        s = (SSLSocket)serverSocket;
        if (s instanceof SSLSocketImpl) {
            ((SSLSocketImpl)s).setHost(host);
        }
    }
} catch (IOException ex) {
    // If we fail to connect through the tunnel, try it
    // locally, as a last resort.  If this doesn't work,
    // throw the original exception.
    try {
        s = (SSLSocket)factory.createSocket(host, port);
    } catch (IOException ignored) {
        throw ex;
    }
}

If you use a custom SSLSocketFactory without override createSocket() (the method without parameters), the createSocket well parametrized is used and all works as expected (with client sni extension). But when second way it’s used (try to setHost en SSLSocketImpl) the code executed is:

// ONLY used by HttpsClient to setup the URI specified hostname
//
// Please NOTE that this method MUST be called before calling to
// SSLSocket.setSSLParameters(). Otherwise, the {@code host} parameter
// may override SNIHostName in the customized server name indication.
synchronized public void setHost(String host) {
    this.host = host;
    this.serverNames =
        Utilities.addToSNIServerNameList(this.serverNames, this.host);
}

The comments say all. You need to call setSSLParameters before client handshake. If you use default HostnameVerifier, HttpsClient will call setSSLParameters. But there is no setSSLParameters execution in the opposite way. The fix should be very easy for Oracle:

SSLParameters paramaters = s.getSSLParameters();
if (isDefaultHostnameVerifier) {
    // If the HNV is the default from HttpsURLConnection, we
    // will do the spoof checks in SSLSocket.
    paramaters.setEndpointIdentificationAlgorithm("HTTPS");

    needToCheckSpoofing = false;
}
s.setSSLParameters(paramaters);

Java 9 is working as expected in SNI. But they (Oracle) seem not to want fix this:

More Related Contents:

  1. Extended server_name (SNI Extension) not sent with jdk1.8.0 but send with jdk1.7.0
  2. Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?
  3. Received fatal alert: handshake_failure through SSLHandshakeException
  4. Java HTTPS client certificate authentication
  5. Java client certificates over HTTPS/SSL
  6. Java SSLHandshakeException “no cipher suites in common”
  7. Trust Store vs Key Store – creating with keytool
  8. How to extract CN from X509Certificate in Java?
  9. Importing the private-key/public-certificate pair in the Java KeyStore [duplicate]
  10. HTTPS GET (SSL) with Android and self-signed server certificate
  11. Does Java support Let’s Encrypt certificates?
  12. limiting java ssl debug logging
  13. HttpGet with HTTPS : SSLPeerUnverifiedException
  14. How to set TLS version on apache HttpClient
  15. Javamail Could not convert socket to TLS GMail
  16. Java and HTTPS url connection without downloading certificate
  17. Whats an easy way to totally ignore ssl with java url connections?
  18. Why does Java’s SSLSocket send a version 2 client hello?
  19. SSLHandshakeException while connecting to a https site
  20. SSLHandShakeException No Appropriate Protocol
  21. How do I do TLS with BouncyCastle?
  22. Java SSL connect, add server cert to keystore programmatically
  23. Java SSLException: hostname in certificate didn’t match
  24. Using SSLContext with just a CA certificate and no keystore
  25. How to configure trustStore for javax.net.ssl.trustStore on windows?
  26. How to make Java 6, which fails SSL connection with “SSL peer shut down incorrectly”, succeed like Java 7?
  27. SSLSocket ignores domain mismatch
  28. Java Keytool error after importing certificate , “keytool error: java.io.FileNotFoundException & Access Denied”
  29. Can we load multiple Certificates & Keys in a Key Store?
  30. Java HttpsURLConnection and TLS 1.2

Leave a Comment