SNI not sent with Java 22+ using java.net.http.HttpClient.Builder#sslParameters
Jaikiran Pai
jai.forums2013 at gmail.com
Mon Nov 25 08:48:45 UTC 2024
Hello Nicolas,
On 25/11/24 2:05 pm, Nicolas Henneaux wrote:
> Hi Jaikiran,
>
> For unknown reason, I have not received your reply.
Not sure what happened but here's my previous reply
https://mail.openjdk.org/pipermail/net-dev/2024-November/024726.html.
>
> The issue I have is SslParameters#ServerNames is now overridden by an
> empty list as the IP is not detected as a valid name.
The RFC-6066 section 3 https://www.rfc-editor.org/rfc/rfc6066#section-3
which specifies the Server Name Indication (SNI) semantics, explicitly
states that IP addresses aren't allowed as SNI values:
Currently, the only server names supported are DNS hostnames
...
Literal IPv4 and IPv6 addresses are not permitted in "HostName".
>
> This pull request reproduced the issue
> https://github.com/nhenneaux/resilient-httpclient/pull/68.
I'll take a deeper look at that test case later today. Thank you for that.
-Jaikiran
>
> This would fix the issue by merging the detected hostname with the
> configured list of server names
> https://github.com/openjdk/jdk/pull/22211/files. Perhaps it is better
> to only use the configuration instead of detected name in such case?
>
> I hope it clarifies the issue I have.
>
> Best regards,
>
> Nicolas
>
>> On Nov 18, 2024, at 5:46 PM, Nicolas Henneaux <nicolas at henneaux.io>
>> wrote:
>>
>>
>> Hi Daniel,
>>
>> Thanks for your answer!
>>
>> I know it is not supported hence I have built some years ago a
>> library around HttpClient to do that.
>> https://github.com/nhenneaux/resilient-httpclient
>>
>> I made a pull request with the fix I would need to be applied
>> https://github.com/openjdk/jdk/pull/22211/files.
>>
>> I think it is a regression introduced in Java22 since configured
>> SslParameters#ServerNames is now discarded in favour of the HTTP
>> hostname which is not valid if the hostname is an IP.
>>
>> Best regards,
>>
>> Nicolas
>>
>>> On Nov 18, 2024, at 5:40 PM, Daniel Fuchs <daniel.fuchs at oracle.com>
>>> wrote:
>>>
>>>
>>> Hi Nicolas,
>>>
>>> If I understand correctly, you would like to be able to select which
>>> IP address is used when connecting to a host that has several
>>> IP addresses.
>>>
>>> This functionality is currently not supported by the HttpClient.
>>>
>>> best regards,
>>>
>>> -- daniel
>>>
>>> On 18/11/2024 15:56, Nicolas Henneaux wrote:
>>>> In the library, I force the IP in the HTTP request to enforce the
>>>> target
>>>> IP keeping the HTTP host header and SNI aligned with the actual value.
>>>> The detected SNI is then empty, is it possible to support both
>>>> detected
>>>> and specified SNI?
>>
>>
>
More information about the net-dev
mailing list