Dear All,
We are trying to use Mina library to connect to server which is running the
on SSL TLSv1.2. We are using JDK8u341 on client side with Mina 2.1.6 core
library.
Server is expecting the server_name extension so we are setting it
explicitly as below in SSLcontext. But in client hello in SSL we don't see
the server_name extension going.
Can someone tell me why it is happening even when we are setting it
explicitly.
public class ClientSslContextGenerator {
private static Logger log =
LoggerFactory.getLogger(ClientSslContextGenerator.class);
private static final String PROTOCOL = "TLSv1.3";
static final X509TrustManager X509 = new
X509ExtendedTrustManager() {
public void checkClientTrusted(
X509Certificate[] chain, String authType ) throws CertificateException {
// Nothing to do
}
public void checkServerTrusted(
X509Certificate[] chain, String authType ) throws CertificateException {
// Nothing to do
}
public X509Certificate[]
getAcceptedIssuers() {
return new
X509Certificate[0];
}
@Override
public void checkClientTrusted(
X509Certificate[] chain, String authType, Socket socket )
throws
CertificateException {
// Nothing to do
}
@Override
public void checkClientTrusted(
X509Certificate[] chain, String authType, SSLEngine engine )
throws
CertificateException {
// Nothing to do
}
@Override
public void checkServerTrusted(
X509Certificate[] chain, String authType, Socket socket )
throws
CertificateException {
// Nothing to do
}
@Override
public void checkServerTrusted(
X509Certificate[] chain, String authType, SSLEngine engine )
throws
CertificateException {
// Nothing to do
}
};
static final TrustManager[] trustAllCerts = new
TrustManager[] { X509 };
public ClientSslContextGenerator()
{
}
public SSLContext getSslContext() throws Exception
{
SSLContext sslContext = null;
try
{
sslContext =
SSLContext.getInstance(PROTOCOL);;
sslContext.init(null,
trustAllCerts, new java.security.SecureRandom());
SSLParameters sslParameters
= sslContext.getDefaultSSLParameters();
log.info("SNIServerName="+sslParameters.getServerNames());
SNIServerName sniHostName =
new SNIHostName("iso-tls-uat.apps.uat.abc.com");
sslParameters.setServerNames(Collections.singletonList(sniHostName));
log.info("SNIServerName="+sslParameters.getServerNames());
log.info("SSL provider is: "
+ sslContext.getProvider());
}
catch (Exception ex)
{
throw ex;
}
return sslContext;
}
}
The Client Hello
javax.net.ssl|FINE|27|NioProcessor-11|2022-11-10 20:03:41.023
IST|ClientHello.java:567|Produced ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "6A C7 1B 07 8A C1 40 B4 4B 9F 08 34 D9 E4 83 46
9E 38 88 FC 2E 92 01 56 F7 47 74 FE 4A D2 90 A9",
"session id" : "16 2F 8A C9 E4 FF 4C 0B 9C 1C B7 E8 B1 BD B0 13
B5 68 5B F4 07 29 4A 40 ED 59 64 63 26 3E 66 0A",
"cipher suites" : "[TLS_AES_256_GCM_SHA384(0x1302),
TLS_AES_128_GCM_SHA256(0x1301),
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C),
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B),
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030),
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F),
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F),
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3),
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E),
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2),
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024),
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028),
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023),
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027),
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B),
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A),
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067),
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040),
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E),
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032),
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D),
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031),
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026),
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A),
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025),
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029),
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A),
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014),
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009),
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013),
TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039),
TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038),
TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033),
TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032),
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005),
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F),
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004),
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E),
TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D),
TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C),
TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D),
TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C),
TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F),
TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
"compression methods" : "00",
"extensions" : [
"supported_groups (10)": {
"versions": [secp256r1, secp384r1, secp521r1, ffdhe2048, ffdhe3072,
ffdhe4096, ffdhe6144, ffdhe8192]
},
"ec_point_formats (11)": {
"formats": [uncompressed]
},
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384,
ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384,
rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384,
rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512,
dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1,
rsa_pkcs1_sha1, dsa_sha1]
},
"signature_algorithms_cert (50)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384,
ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384,
rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384,
rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512,
dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1,
rsa_pkcs1_sha1, dsa_sha1]
},
"extended_master_secret (23)": {
<empty>
},
"supported_versions (43)": {
"versions": [TLSv1.3, TLSv1.2]
},
"psk_key_exchange_modes (45)": {
"ke_modes": [psk_dhe_ke]
},
"key_share (51)": {
"client_shares": [
{
"named group": secp256r1
"key_exchange": {
0000: 04 C4 4C E3 1E DD EE 50 97 8F D3 52 96 6E 13 B4
..L....P...R.n..
0010: DF 2C 0E EE FF 57 4A 4F E3 B8 6A 4D 20 AF ED 76
.,...WJO..jM ..v
0020: 62 E1 F3 00 A1 97 1C BB D8 1F 5E 37 04 95 37 7A
b.........^7..7z
0030: 31 90 EF 63 15 DF 19 A0 7B 3D 46 19 21 9D 1F F4
1..c.....=F.!...
0040: A7
}
},
]
}
]
}
)
Thanks And Regards,
Nitin Phuria
Confidentiality Disclaimer: "The information contained in this electronic
message (email) and any attachments to this email are intended for the
exclusive use of the addressee(s) and access to this email by anyone else is
unauthorized. The email may contain proprietary, confidential or privileged
information or information relating to Integra Group. If you are not the
intended recipient, please notify the sender by telephone, fax, or return
email and delete this communication and any attachments thereto, immediately
from your computer. Any dissemination, distribution, or copying of this
communication and the attachments thereto (in whole or part), in any manner,
is strictly prohibited and actionable at law. The recipient acknowledges
that emails are susceptible to alteration and their integrity cannot be
guaranteed and that Company does not guarantee that any e-mail is virus-free
and accept no liability for any damage caused by any virus transmitted by
this email."
--
**
***
*
*Confidentiality Disclaimer**: "The information contained in this
electronic message
(email) and any attachments to this email are intended
for the exclusive use of
the addressee(s) and access to this email by
anyone else is unauthorized. The
email may contain proprietary,
confidential or privileged information or
information relating to Integra
Group. If you are not the intended recipient,
please notify the sender by
telephone, fax, or return email and delete this
communication and any
attachments thereto, immediately from your computer. Any
dissemination,
distribution, or copying of this communication and the
attachments thereto
(in whole or part), in any manner, is strictly prohibited
and actionable at
law. The recipient acknowledges that emails are susceptible
to alteration
and their integrity cannot be guaranteed and that Company does
not
guarantee that any e-mail is virus-free and accept no liability for any
damage caused by any virus transmitted by this email."*
