OpenJDK 7 SNI Implementation

Tim Gustafson tjg at tgustafson.com
Tue Aug 21 20:07:51 PDT 2012 

Hi,

I'm not sure if this is the right list to post this to or not, so
please forgive me if it is not.  If this is not the correct list,
would someone please direct me to the correct place?

I'm creating a Java application that implements a custom SSL server.
By "custom", I mean "implements its own KeyManager and TrustManager".
Specifically, I am storing certificate and key information in a
password-protected Derby database so that my certificate information
can be stored in the same encrypted database as all my other
application data, and also because I'm doing certificate validation a
bit differently than the stock Java key store does.

I see that Java is supposed to support SNI, but it's not clear to me
how this happens, or where it happens, or if support for SNI extends
only to client SSLSocket object, or if it also applies to
SSLServerSocket objects.  I can't find any documentation to tell me
exactly how Java supports SNI, nor can I find any examples of using
SNI, even from the client side of things.

I'd like my chooseServerAlias function in my X509KeyManager
implementation to pick a server alias based on what server the client
is attempting to connect to.  But, I can't seem to find any properties
that are available through the "keyType", "issuers" or "socket"
parameters that are passed to that method that would tell me which
server the client is attempting to connect to.

I thought perhaps that I could make my client SSLSocket specify which
issuer/subject it was expecting to find on the server (and that
information would find its way to the "issuers" parameter of the
chooseServerAlias method), but I can't find any way to tell the client
SSLSocket which certificate to expect or which local certificate to
offer to the remote server.

So, short version: where is Java's support for SNI actually documented
in detail?  And are there any sample code snippets that would show me
how to use SNI?  Or is Java's SNI implementation just based on the
host name that you specify when creating your client SSLSocket?  If
so, where does that host name information show up in the
chooseServerAlias function?

Thanks for any help in advance!

-- 

Tim Gustafson
tjg at tgustafson.com
http://tgustafson.com/

More information about the net-dev mailing list