OpenJDK 7 SNI Implementation

[Brad Wetmore]

Cross-posting to security-dev.

Hi Tim,

On 8/21/2012 8:07 PM, Tim Gustafson
wrote:

> I see that Java is supposed to support SNI, but it's not clear to me
> how this happens, or where it happens, or if support for SNI extends
> only to client SSLSocket object, or if it also applies to
> SSLServerSocket objects.  I can't find any documentation to tell me
> exactly how Java supports SNI, nor can I find any examples of using
> SNI, even from the client side of things.

We currently only support client side sending of the SNI extension.

Our client handshakers look to see if the SNI Extension is enabled 
(System Property: jsse.enableSNIExtension=true).  If so, then if the 
SSLSocket/SSLEngine was created with a Fully Qualified Domain Name 
hostname, then we will load that hostname into an RFC 6066 "host_name" 
extension [1] and send it as part of the ClientHello.

We don't currently have APIs to specify alternate server names on the 
client side, or to observe the received SNI extensions on the server 
side.  We are right in the middle of designing the APIs for that[2].  We 
will likely be posting a new version in the next week or so to the 
security-dev mailing list.

> I'd like my chooseServerAlias function in my X509KeyManager
> implementation to pick a server alias based on what server the client
> is attempting to connect to.  But, I can't seem to find any properties
> that are available through the "keyType", "issuers" or "socket"
> parameters that are passed to that method that would tell me which
> server the client is attempting to connect to.

Earlier versions of the APIs are available via the security-dev mail 
archives[3], but I would suggest waiting for the next iteration.

> I thought perhaps that I could make my client SSLSocket specify which
> issuer/subject it was expecting to find on the server (and that
> information would find its way to the "issuers" parameter of the
> chooseServerAlias method), but I can't find any way to tell the client
> SSLSocket which certificate to expect or which local certificate to
> offer to the remote server.
>
> So, short version: where is Java's support for SNI actually documented
> in detail?  And are there any sample code snippets that would show me
> how to use SNI?  Or is Java's SNI implementation just based on the
> host name that you specify when creating your client SSLSocket?

Yes.

 > If
> so, where does that host name information show up in the
> chooseServerAlias function?

Working on this for JDK 8.

> Thanks for any help in advance!

Hope this helps,

Brad

[1] http://www.rfc-editor.org/rfc/rfc6066.txt
[2] http://openjdk.java.net/jeps/114
[3] 
http://mail.openjdk.java.net/pipermail/security-dev/2012-August/005285.html