[
https://issues.apache.org/jira/browse/HTTPCLIENT-1119?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bruno Harbulot updated HTTPCLIENT-1119:
---------------------------------------
Attachment: apache_httpclient_4.2.x_sni.patch
Here is a patch to support SNI (when using Java 7) with Apache HttpClient
4.2.x. This doesn't require any changes from the user's point of view, doesn't
use any reflection or any code specific to Java 7 (it will simply not use SNI
with a JRE that doesn't support it).
Here is a bit of background. To get client-side support with Java 7 (at least
with JREs that are based on the OpenJDK), the {{SSLSocket}} must be created
using one of the {{createSocket}} methods that take use the {{String host}}
(*not* the {{InetAddress host}}) parameter.
In particular, this causes problems, because of the way HttpClient first
creates the (non-connected) socket, changes some of its settings, and only
connects it later.
This patch addresses this problem by creating a normal {{Socket}} in all cases,
thereby allowing HttpClient to make any setting to the socket before connection
(timeout, local address re-use, ...), and then make use of
{{SSLSocketFactory.createSocket(Socket s, String host, int port, boolean
autoClose)}}, which will make use of SNI when available.
I had made a [first
attempt|https://github.com/harbulot/httpclient/commits/4.2.x_sni_experiment1]
to change this by re-ordering some of the content of the {{connectSocket}}
method in HttpClient's {{SSLSocketFactory}}. This worked, but was
unsatisfactory because this would prevent some parameters to be set before
connect the connection (this would affect the timeout setting before connection
as well as the ability to use {{sock.setReuseAddress}} when the local address
needs to be re-used).
> Server Name Indication (SNI) Support
> ------------------------------------
>
> Key: HTTPCLIENT-1119
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1119
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Components: HttpClient
> Reporter: Gus Power
> Labels: sni, ssl, tls, vhost
> Fix For: Future
>
> Attachments: apache_httpclient_4.2.x_sni.patch,
> HTTPCLIENT-1119-support-SNI-on-Java-7-via-setHost-of.patch
>
>
> Provide support for Server Name Indication (SNI) support as per RFC 3546
> (section 3.1).
> Currently attempting to connect to SNI enabled host 'expectedhost' over SSL
> using http client results in an SSLException similar to:
> javax.net.ssl.SSLException: hostname in certificate didn't match:
> <expectedhost> != <defaulthost>
> at
> org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:220)
> We use SNI on some of our environments and were trying to use httpclient to
> automatically test host access and availability.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
