Code Review Request 8144566, Custom HostnameVerifier disables SNI extension

ecki at zusammenkunft.net ecki at zusammenkunft.net
Tue Dec 8 03:27:13 UTC 2015


Isnt this codepath used as a workaround for dynamically disabling SNI? Using connect(host..) instead of SSLSocket(host) was at least a common, well known workaround.

Gruss
Bernd
-- 
http://bernd.eckenfels.net

-----Original Message-----
From: Bradford Wetmore <bradford.wetmore at oracle.com>
To: Xuelei Fan <xuelei.fan at oracle.com>, OpenJDK <security-dev at openjdk.java.net>
Sent: Di., 08 Dez. 2015 2:51
Subject: Re: Code Review Request 8144566, Custom HostnameVerifier disables SNI extension


Please see my comment in the bug.  I haven't verified this, but it seems 
the problem might be generic to the codepath through SSLSocket, not just 
Https.

Brad





On 12/6/2015 4:32 AM, Xuelei Fan wrote:
> Hi,
>
> Please review the update for JDK-8144566:
>
>     http://cr.openjdk.java.net/~xuelei/8144566/webrev.00/
>
> For HttpsURLConnection, the server name may be set after the TLS
> connection and handshake has been initialized.  As may result in that
> the server name does not present at TLS ClientHello messages.
>
> This fix resets the server name for the initialized handshake for above
> cases.
>
> Thanks,
> Xuelei
>


More information about the security-dev mailing list