Dear All,
We are trying to use Mina library to connect to server which is running the
on SSL TLSv1.2. We are using JDK8u341 on client side with Mina 2.1.6 core
library.
Server is expecting the server_name extension so we are setting it
explicitly as below in SSLcontext. But in client hello in SSL we don't see
the server_name extension going.
Can someone tell me why it is happening even when we are setting it
explicitly.
public class ClientSslContextGenerator {
private static Logger log =
LoggerFactory.getLogger(ClientSslContextGenerator.class);
private static final String PROTOCOL = "TLSv1.3";
static final X509TrustManager X509 = new
X509ExtendedTrustManager() {
public void checkClientTrusted(
X509Certificate[] chain, String authType ) throws CertificateException {
// Nothing to do
}
public void checkServerTrusted(
X509Certificate[] chain, String authType ) throws CertificateException {
// Nothing to do
}
public X509Certificate[]
getAcceptedIssuers() {
return new
X509Certificate[0];
}
@Override
public void checkClientTrusted(
X509Certificate[] chain, String authType, Socket socket )
throws
CertificateException {
// Nothing to do
}
@Override
public void checkClientTrusted(
X509Certificate[] chain, String authType, SSLEngine engine )
throws
CertificateException {
// Nothing to do
}
@Override
public void checkServerTrusted(
X509Certificate[] chain, String authType, Socket socket )
throws
CertificateException {
// Nothing to do
}
@Override
public void checkServerTrusted(
X509Certificate[] chain, String authType, SSLEngine engine )
throws
CertificateException {
// Nothing to do
}
};
static final TrustManager[] trustAllCerts = new
TrustManager[] { X509 };
public ClientSslContextGenerator()
{
}
public SSLContext getSslContext() throws Exception
{
SSLContext sslContext = null;
try
{
sslContext =
SSLContext.getInstance(PROTOCOL);;
sslContext.init(null,
trustAllCerts, new java.security.SecureRandom());
SSLParameters sslParameters
= sslContext.getDefaultSSLParameters();
log.info("SNIServerName="+sslParameters.getServerNames());
SNIServerName sniHostName =
new SNIHostName("iso-tls-uat.apps.uat.abc.com");
sslParameters.setServerNames(Collections.singletonList(sniHostName));
log.info("SNIServerName="+sslParameters.getServerNames());
log.info("SSL provider is: "
+ sslContext.getProvider());
}
catch (Exception ex)
{
throw ex;
}
return sslContext;
}
}
The Client Hello
javax.net.ssl|FINE|27|NioProcessor-11|2022-11-10 20:03:41.023
IST|ClientHello.java:567|Produced ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "6A C7 1B 07 8A C1 40 B4 4B 9F 08 34 D9 E4 83 46
9E 38 88 FC 2E 92 01 56 F7 47 74 FE 4A D2 90 A9",
"session id" : "16 2F 8A C9 E4 FF 4C 0B 9C 1C B7 E8 B1 BD B0 13
B5 68 5B F4 07 29 4A 40 ED 59 64 63 26 3E 66 0A",
"cipher suites" : "[TLS_AES_256_GCM_SHA384(0x1302),
TLS_AES_128_GCM_SHA256(0x1301),
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C),
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B),
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030),
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F),
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F),
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3),
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E),
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2),
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024),
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028),
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023),
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027),
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B),
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A),
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067),
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040),
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E),
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032),
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D),
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031),
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026),
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A),
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025),
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029),
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A),
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014),
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009),
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013),
TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039),
TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038),
TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033),
TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032),
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005),
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F),
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004),
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E),
TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D),
TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C),
TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D),
TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C),
TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F),
TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
"compression methods" : "00",
"extensions" : [
"supported_groups (10)": {
"versions": [secp256r1, secp384r1, secp521r1, ffdhe2048, ffdhe3072,
ffdhe4096, ffdhe6144, ffdhe8192]
},
"ec_point_formats (11)": {
"formats": [uncompressed]
},
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384,
ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384,
rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384,
rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512,
dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1,
rsa_pkcs1_sha1, dsa_sha1]
},
"signature_algorithms_cert (50)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384,
ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384,
rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384,
rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512,
dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1,
rsa_pkcs1_sha1, dsa_sha1]
},
"extended_master_secret (23)": {
<empty>
},
"supported_versions (43)": {
"versions": [TLSv1.3, TLSv1.2]
},
"psk_key_exchange_modes (45)": {
"ke_modes": [psk_dhe_ke]
},
"key_share (51)": {
"client_shares": [
{
"named group": secp256r1
"key_exchange": {
0000: 04 C4 4C E3 1E DD EE 50 97 8F D3 52 96 6E 13 B4
..L....P...R.n..
0010: DF 2C 0E EE FF 57 4A 4F E3 B8 6A 4D 20 AF ED 76
.,...WJO..jM ..v
0020: 62 E1 F3 00 A1 97 1C BB D8 1F 5E 37 04 95 37 7A
b.........^7..7z
0030: 31 90 EF 63 15 DF 19 A0 7B 3D 46 19 21 9D 1F F4
1..c.....=F.!...
0040: A7
}
},
]
}
]
}
)
Thanks And Regards,
Nitin Phuria
Confidentiality Disclaimer: "The information contained in this electronic
message (email) and any attachments to this email are intended for the
exclusive use of the addressee(s) and access to this email by anyone else is
unauthorized. The email may contain proprietary, confidential or privileged
information or information relating to Integra Group. If you are not the
intended recipient, please notify the sender by telephone, fax, or return
email and delete this communication and any attachments thereto, immediately
from your computer. Any dissemination, distribution, or copying of this
communication and the attachments thereto (in whole or part), in any manner,
is strictly prohibited and actionable at law. The recipient acknowledges
that emails are susceptible to alteration and their integrity cannot be
guaranteed and that Company does not guarantee that any e-mail is virus-free
and accept no liability for any damage caused by any virus transmitted by
this email."