Code Review Request 8144566, Custom HostnameVerifier disables SNI extension
Xuelei Fan
xuelei.fan at oracle.com
Wed Jan 20 01:14:50 UTC 2016
Ping ...
On 12/8/2015 8:12 PM, Xuelei Fan wrote:
> Good catch!
>
> I copied the comment here:
>
> ----------
> SocketFactory sslsf = SSLSocketFactory.getDefault();
> SSLSocket ssls = (SSLSocket) sslsf.createSocket();
> ssls.connect(new InetSocketAddress(
> "bugs.openjdk.java.net", 443), 0);
> ssls.startHandshake();
>
> No SNI is sent in this case.
> ----------
>
> Although this is not a regression, but this is a very good catch.
>
> However, I don't think the code path is a best practice, as the actual
> behavior depends on providers behaviors and platform behaviors too much.
> I would recommend to use SSLParameters.setServerNames() to specify the
> server names explicitly.
>
> But, best effort should be made for the default server names for such
> code paths. Here is the webrev that also fixes this code path issue:
>
> http://cr.openjdk.java.net/~xuelei/8144566/webrev.01/
>
> The fix gets a little bit complicated because of the need to consider
> the SSLParameters.setServerNames() impact in the code path:
>
> SSLSocket ssls = (SSLSocket) sslsf.createSocket();
>
> // before the connection, need to consider the impact:
> // Get the SSLParameters from the socket, or create on the fly?
> // Call ssls.setSSLParameters(params) or not?
> ssls.connect(socketAddress);
>
> // after the connection, need to consider the impact:
> // Call ssls.setSSLParameters(params) or not?
>
> Basically, the implementation honors the server name set by
> SSLParameters.setServerNames().
>
> Bernd's comment:
>> Isnt this codepath used as a workaround for dynamically disabling
>> SNI? Using connect(host..) instead of SSLSocket(host) was at
>> least a common, well known workaround.
> If the code path is really used in practice, the
> SSLParameters.setServerNames() would better be called actually to
> disable SNI explicitly.
>
> SocketFactory sslsf = SSLSocketFactory.getDefault();
> SSLSocket ssls = (SSLSocket) sslsf.createSocket();
> ssls.connect(new InetSocketAddress(
> "bugs.openjdk.java.net", 443), 0);
> sslParameters.setServerNames(emptyList);
> ssls.setSSLParameters(sslParameters);
> ssls.startHandshake();
>
> Thank you, Bernd and Brad, for the feedback.
>
> Thanks,
> Xuelei
>
> On 12/8/2015 8:21 AM, Bradford Wetmore wrote:
>>
>> Please see my comment in the bug. I haven't verified this, but it seems
>> the problem might be generic to the codepath through SSLSocket, not just
>> Https.
>>
>> Brad
>>
>>
>>
>>
>>
>> On 12/6/2015 4:32 AM, Xuelei Fan wrote:
>>> Hi,
>>>
>>> Please review the update for JDK-8144566:
>>>
>>> http://cr.openjdk.java.net/~xuelei/8144566/webrev.00/
>>>
>>> For HttpsURLConnection, the server name may be set after the TLS
>>> connection and handshake has been initialized. As may result in that
>>> the server name does not present at TLS ClientHello messages.
>>>
>>> This fix resets the server name for the initialized handshake for above
>>> cases.
>>>
>>> Thanks,
>>> Xuelei
>>>
>
More information about the security-dev
mailing list