[jira] [Commented] (HTTPCLIENT-1119) Server Name Indication (SNI) Support

Fri, 15 Feb 2013 08:11:15 -0800 

    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-1119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13579273#comment-13579273
 ] 

John Vasileff commented on HTTPCLIENT-1119:
-------------------------------------------

Oleg,

My understanding is that SNI's sole purpose is to support multiple https sites 
on a single IP, and it is not to either increase or decrease the level of 
security. Sending the domain name over the wire in an SNI scenario is nearly 
equivalent information to the IP address of the web host in a single web site 
per IP scenario. If other platforms have standardized on supporting SNI, why 
shouldn't the Java universe? The world is stuck with one-site-per-IPv4-address 
until support for SNI is ubiquitous.

Is the real issue the use of reflection in the offered patch, or a desire to 
not use SNI by default? If the former, any suggestions to work around this? I 
haven't looked at the code, but along the lines of what Josef asked, do you 
have a hunch as to the effort of implementing this without reflection or 
generally what must be done? Is the argument against reflection performance or 
aesthetics?

John
                
> Server Name Indication (SNI) Support
> ------------------------------------
>
>                 Key: HTTPCLIENT-1119
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1119
>             Project: HttpComponents HttpClient
>          Issue Type: Improvement
>          Components: HttpClient
>            Reporter: Gus Power
>              Labels: sni, ssl, tls, vhost
>             Fix For: Future
>
>         Attachments: 
> HTTPCLIENT-1119-support-SNI-on-Java-7-via-setHost-of.patch
>
>
> Provide support for Server Name Indication (SNI) support as per RFC 3546 
> (section 3.1).
> Currently attempting to connect to SNI enabled host 'expectedhost' over SSL 
> using http client results in an SSLException similar to:
> javax.net.ssl.SSLException: hostname in certificate didn't match: 
> <expectedhost> != <defaulthost>
>   at 
> org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:220)
> We use SNI on some of our environments and were trying to use httpclient to 
> automatically test host access and availability.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to