SNI not sent with Java 22+ using java.net.http.HttpClient.Builder#sslParameters

Jaikiran Pai jai.forums2013 at gmail.com
Mon Nov 25 08:48:45 UTC 2024


Hello Nicolas,

On 25/11/24 2:05 pm, Nicolas Henneaux wrote:
> Hi Jaikiran,
>
> For unknown reason, I have not received your reply.

Not sure what happened but here's my previous reply 
https://mail.openjdk.org/pipermail/net-dev/2024-November/024726.html.

>
> The issue I have is SslParameters#ServerNames is now overridden by an 
> empty list as the IP is not detected as a valid name.

The RFC-6066 section 3 https://www.rfc-editor.org/rfc/rfc6066#section-3 
which specifies the Server Name Indication (SNI) semantics, explicitly 
states that IP addresses aren't allowed as SNI values:

     Currently, the only server names supported are DNS hostnames
     ...
     Literal IPv4 and IPv6 addresses are not permitted in "HostName".

>
> This pull request reproduced the issue 
> https://github.com/nhenneaux/resilient-httpclient/pull/68.

I'll take a deeper look at that test case later today. Thank you for that.

-Jaikiran


>
> This would fix the issue by merging the detected hostname with the 
> configured list of server names 
> https://github.com/openjdk/jdk/pull/22211/files. Perhaps it is better 
> to only use the configuration instead of detected name in such case?
>
> I hope it clarifies the issue I have.
>
> Best regards,
>
> Nicolas
>
>> On Nov 18, 2024, at 5:46 PM, Nicolas Henneaux <nicolas at henneaux.io> 
>> wrote:
>>
>>
>> Hi Daniel,
>>
>> Thanks for your answer!
>>
>> I know it is not supported hence I have built some years ago a 
>> library around HttpClient to do that.
>> https://github.com/nhenneaux/resilient-httpclient
>>
>> I made a pull request with the fix I would need to be applied 
>> https://github.com/openjdk/jdk/pull/22211/files.
>>
>> I think it is a regression introduced in Java22 since configured 
>> SslParameters#ServerNames is now discarded in favour of the HTTP 
>> hostname which is not valid if the hostname is an IP.
>>
>> Best regards,
>>
>> Nicolas
>>
>>> On Nov 18, 2024, at 5:40 PM, Daniel Fuchs <daniel.fuchs at oracle.com> 
>>> wrote:
>>>
>>>
>>> Hi Nicolas,
>>>
>>> If I understand correctly, you would like to be able to select which
>>> IP address is used when connecting to a host that has several
>>> IP addresses.
>>>
>>> This functionality is currently not supported by the HttpClient.
>>>
>>> best regards,
>>>
>>> -- daniel
>>>
>>> On 18/11/2024 15:56, Nicolas Henneaux wrote:
>>>> In the library, I force the IP in the HTTP request to enforce the 
>>>> target
>>>> IP keeping the HTTP host header and SNI aligned with the actual value.
>>>> The detected SNI is then empty, is it possible to support both 
>>>> detected
>>>> and specified SNI?
>>
>>
>


More information about the net-dev mailing list