[jira] [Commented] (HTTPCLIENT-1119) Server Name Indication (SNI) Support

Fri, 15 Feb 2013 09:41:13 -0800 

    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-1119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13579353#comment-13579353
 ] 

Will Norris commented on HTTPCLIENT-1119:
-----------------------------------------

Adding support for SNI has no bearing on how that certificate is validated, 
with the exception that the *lack* of SNI support encourages developers to turn 
of host verification altogether in order to get things to work.  Adding support 
for SNI will in fact *increase* the ability to have secure applications.  And 
while i'm not intimately familiar with how HttpClient does cert validation, I 
suspect that simply switching out the hostname verifier is not sufficient, as 
SNI requires the desired hostname to be specified in the initial handshake.

Regarding the mention of Android and HttpClient earlier in this thread, see 
http://android-developers.blogspot.com/2011/09/androids-http-clients.html.  
Most specifically, the very last line: "New applications should use 
HttpURLConnection; it is where we will be spending our energy going forward."
                
> Server Name Indication (SNI) Support
> ------------------------------------
>
>                 Key: HTTPCLIENT-1119
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1119
>             Project: HttpComponents HttpClient
>          Issue Type: Improvement
>          Components: HttpClient
>            Reporter: Gus Power
>              Labels: sni, ssl, tls, vhost
>             Fix For: Future
>
>         Attachments: 
> HTTPCLIENT-1119-support-SNI-on-Java-7-via-setHost-of.patch
>
>
> Provide support for Server Name Indication (SNI) support as per RFC 3546 
> (section 3.1).
> Currently attempting to connect to SNI enabled host 'expectedhost' over SSL 
> using http client results in an SSLException similar to:
> javax.net.ssl.SSLException: hostname in certificate didn't match: 
> <expectedhost> != <defaulthost>
>   at 
> org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:220)
> We use SNI on some of our environments and were trying to use httpclient to 
> automatically test host access and availability.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to