Cross-posting to security-dev.
Hi Tim,
On 8/21/2012 8:07 PM, Tim Gustafson
wrote:
I see that Java is supposed to support SNI, but it's not clear to me
how this happens, or where it happens, or if support for SNI extends
only to client SSLSocket object, or if it also applies to
SSLServerSocket objects. I can't find any documentation to tell me
exactly how Java supports SNI, nor can I find any examples of using
SNI, even from the client side of things.
We currently only support client side sending of the SNI extension.
Our client handshakers look to see if the SNI Extension is enabled
(System Property: jsse.enableSNIExtension=true). If so, then if the
SSLSocket/SSLEngine was created with a Fully Qualified Domain Name
hostname, then we will load that hostname into an RFC 6066 "host_name"
extension [1] and send it as part of the ClientHello.
We don't currently have APIs to specify alternate server names on the
client side, or to observe the received SNI extensions on the server
side. We are right in the middle of designing the APIs for that[2]. We
will likely be posting a new version in the next week or so to the
security-dev mailing list.
I'd like my chooseServerAlias function in my X509KeyManager
implementation to pick a server alias based on what server the client
is attempting to connect to. But, I can't seem to find any properties
that are available through the "keyType", "issuers" or "socket"
parameters that are passed to that method that would tell me which
server the client is attempting to connect to.
Earlier versions of the APIs are available via the security-dev mail
archives[3], but I would suggest waiting for the next iteration.
I thought perhaps that I could make my client SSLSocket specify which
issuer/subject it was expecting to find on the server (and that
information would find its way to the "issuers" parameter of the
chooseServerAlias method), but I can't find any way to tell the client
SSLSocket which certificate to expect or which local certificate to
offer to the remote server.
So, short version: where is Java's support for SNI actually documented
in detail? And are there any sample code snippets that would show me
how to use SNI? Or is Java's SNI implementation just based on the
host name that you specify when creating your client SSLSocket?
Yes.
> If
so, where does that host name information show up in the
chooseServerAlias function?
Working on this for JDK 8.
Thanks for any help in advance!
Hope this helps,
Brad
[1] http://www.rfc-editor.org/rfc/rfc6066.txt
[2] http://openjdk.java.net/jeps/114
[3]
http://mail.openjdk.java.net/pipermail/security-dev/2012-August/005285.html
