[
https://issues.apache.org/jira/browse/HTTPCLIENT-1119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13796819#comment-13796819
]
Bruno Harbulot commented on HTTPCLIENT-1119:
--------------------------------------------
I agree this is not very well documented, but I think this makes sense.
I think they just require the host name to be passed as a {{String}}, to
prevent problems when trying to get the host name from {{InetAddress}}. Indeed,
{{InetAddress.getHostName()}} doesn't necessarily return the initial argument
to {{InetAddress.getByName(...)}} (for example, if it's an IP address in text
form, which is allowed according to the documentation).
Since there is no direct way to set the host once the socket is created (in the
public API of {{SSLSocket}}), this seemed to have been a way to implement SNI
in a way that disrupted the public API the least.
Unfortunately, all of the {{javax.net.ssl.SSLSocketFactory.createSocket(...)}}
methods that create a socket using a {{String}} parameter to pass the host name
also connect this socket immediately, _except_ the one that overlays the
{{SSLSocket}} on top of a plain {{Socket}}.
Since Apache HttpClient uses its sockets in such a way that they cannot be
created and connected in the same call to the JRE's socket factory, using a
plain socket first makes this work, because it's the only way to make use of a
suitable {{j.n.s.SSLSocketFactory.createSocket(...)}} method, after the socket
creation.
Another way to achieve this would be to change the Apache HttpClient API in
such a way that it doesn't have to rely on separate calls to {{createSocket}}
and {{connectSocket}} of its own socket factories, but this would certainly be
a more disruptive change in Apache HttpClient.
I'll try this patch with HC 4.3 shortly.
> Server Name Indication (SNI) Support
> ------------------------------------
>
> Key: HTTPCLIENT-1119
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1119
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Components: HttpClient
> Reporter: Gus Power
> Labels: sni, ssl, tls, vhost
> Fix For: Future
>
> Attachments: apache_httpclient_4.2.x_sni.patch,
> HTTPCLIENT-1119-support-SNI-on-Java-7-via-setHost-of.patch
>
>
> Provide support for Server Name Indication (SNI) support as per RFC 3546
> (section 3.1).
> Currently attempting to connect to SNI enabled host 'expectedhost' over SSL
> using http client results in an SSLException similar to:
> javax.net.ssl.SSLException: hostname in certificate didn't match:
> <expectedhost> != <defaulthost>
> at
> org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:220)
> We use SNI on some of our environments and were trying to use httpclient to
> automatically test host access and availability.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
