[security-dev 00566]: Re: SNI support in JSSE
Xuelei Fan
Xuelei.Fan at Sun.COM
Fri Feb 13 02:51:16 UTC 2009
It is appreciate you'd like to investigate it.
If you need more information about the current framework of TLS/JSSE,
please refer to JSSE reference guide[7]:
Currently, there is no way to define a plug-in-able extension(that's my
plan in a long run), so if one want to implement a extension, he has to
hard-coded the handshaking, on both client side[1] and server side[2].
For SNI, there are requirements:
1. For the client side, it meight need a public API in order to set the
peer hostname, otherwise get the host name from the request URI.
2. For the server side, the simplest case is to choose a trust
certificate for the requested hostname.
3. For virtual host and virtual machine, the server would like forward
IP or proxy a connection to the virtual one, so one need to define a
callback in order to provide the flexibility that the users could
customized their behaviors while getting a SNI extension.
In order to meet those requirements on the current framework, one should:
1. modify the clientHello HandshakeMessage [3], support the SNI extensions.
2. modify the trust manager[4] and the key manager[5], get them select
the proper certificate according to the SNI.
4. modify the ClientHandshaker[1] and ServerHandshaker[2].
3. add new public API to SSLSocket, or a SSL parameter to SSLSocket[6],
indicate what behaviors should be taken when get such a SNI extension.
However, because it is not possible to add a new public API at JDK7,
maybe you need to hard coded the behaviors while get a SNI at
Serverhandshaker.[2].
JDK 6 have support ECC extension, I think maybe you could get some hints
from there.[8][1][2]
Thanks,
Xuelei
[1]:
http://www.jiema.org/xref/openjdk/jdk7/jdk/src/share/classes/sun/security/ssl/ClientHandshaker.java
[2]:
http://www.jiema.org/xref/openjdk/jdk7/jdk/src/share/classes/sun/security/ssl/ServerHandshaker.java
[3]:
http://www.jiema.org/xref/openjdk/jdk7/jdk/src/share/classes/sun/security/ssl/HandshakeMessage.java#ClientHello
[4]:
http://www.jiema.org/xref/openjdk/jdk7/jdk/src/share/classes/sun/security/ssl/X509TrustManagerImpl.java
[5]:
http://www.jiema.org/xref/openjdk/jdk7/jdk/src/share/classes/sun/security/ssl/X509KeyManagerImpl.java
[6]:
http://www.jiema.org/xref/openjdk/jdk7/jdk/src/share/classes/javax/net/ssl/SSLSocket.java
[7]:
http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
[8]:
http://www.jiema.org/xref/openjdk/jdk7/jdk/src/share/classes/sun/security/ssl/HandshakeMessage.java
<http://www.jiema.org/xref/openjdk/jdk7/jdk/src/share/classes/sun/security/ssl/HandshakeMessage.java#ClientHello>
Xuelei Fan wrote:
> No, and there is no plan to support it at jdk7 at present.
>
> Xuelei
>
> Richard Stupek wrote:
>> Is SNI (Server name indication) slated to be in JDK7?
>
More information about the security-dev
mailing list