(2nd round) Proposed API Changes for JEP 114: TLS Server Name Indication (SNI) Extension

Xuelei Fan xuelei.fan at oracle.com
Mon Aug 13 10:44:03 UTC 2012 

On 8/12/2012 8:52 PM, Xuelei Fan wrote:
>> SSLParameters.java
>> > ==================
>> > 
>> > One general question before we get to specifics.  Your current default
>> > behavior of the SunJSSE is to add a SNI extension if we have the value
>> > available.  So if we call:
>> > 
>> >     sslSocket = socketFactory.createSocket("www.example.com", 443);
>> >     sslp = sslParameters.getSSLParameters();
>> > 
>> > will this sslParameters ever contain a map with preinstalled "host_name"
>> > set to "www.example.com", or will it be empty?  I think the answer will
>> > be empty.  This API is just a way to force setting the value if an
>> > implementation select an unwanted value.
>> > 
> No, it is not empty. The default value will appear in the SSLParameters
> in my prototype implementation.
> 
Thought more about the design, I would have to say that we cannot return
the default value in sslParameters.getServerNames().  Otherwise, the
following two block of codes look very weird to me:
    // case one:
1   SSLparameters sslParameters = sslSocket.getSSLParameters();
2   sslParameters.clearServerName("host_name");
3   Map<String, String> names = sslParameters.getServerNames();
4   sslSocket.setSSLParameters(sslParameters);
5   sslParameters = sslSocket.getSSLParameters();
6   names = sslParameters.getServerNames();

In line 3, the returned map does not contain "host_name" entry. But in
line 6, it may be expected that no "host_name" in the returned map. But
if we want to return default values, line 6 do need to return a map
containing "host_name".  The behavior is pretty confusing. We may want
to try avoid the confusion.

And there are similar concerns at line 4 and 7 in the 2nd case:
    // case two:
1   SSLparameters sslParameters = new SSLParameters();
2   sslParameters.setServerName("host_name", "www.example.com");
3   sslParameters.clearServerName("host_name");
4   Map<String, String> names = sslParameters.getServerNames();
5   sslSocket.setSSLParameters(sslParameters);
6   sslParameters = sslSocket.getSSLParameters();
7   names = sslParameters.getServerNames();

I will describe it explicit in the spec that the default values will not
show in the map.

Xuelei

> But that's an interesting topic to discuss as there are a few concerns I
> have to consider when I design the APIs.
> 
> There are public SSLParameters constructors. As means that an instance
> of SSLParameters is not always got from a SSLSocket or SSLEngine
> instance. Then we are not always able to have the *default* value of an
> instance of SSLSocket/SSLEngine into SSLParameters if it is not bound to
> SSLSocket/SSLEngine. So we still need to discuss about how the user
> specified values work with the default ones.
> 
>     SSLParameters sslParameters = new SSLParameters();
>     ...
>     sslSocket.setSSLParameters(sslParameters);
>

More information about the security-dev mailing list