New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consider using the host name in the SSLEngineFactory #513

Closed
harbulot opened this Issue Mar 26, 2014 · 2 comments

Comments

Projects
None yet
4 participants
@harbulot
Copy link

harbulot commented Mar 26, 2014

The SSLEngineFactory interface currently only has one method, SSLEngine newSSLEngine(), which cannot let the SSLEngine be created with a host name (see SSLEngine(String peerHost, int peerPort)).

Unfortunately, this prevents two useful features from being used:

  1. This would allow for an easy fix for issues #197 and #352 (assuming Java 7+), but setting the endpoint identification algorithm (to use Java 7's X509ExtendedTrustManager):

    SSLParameters sslParams = new SSLParameters();
    sslParams.setEndpointIdentificationAlgorithm("HTTPS");
    sslEngine.setSSLParameters(sslParams);
    

    This can only be used if the SSLEngine is aware of the host name requested, which is normally be done by using the constructor with peerHost.

  2. This would allow for the Server Name Indication (SNI) extension to be used for servers that need it. Again, for SNI to be used, the SSLEngine needs to be aware of the name with which it's used. This is essentially the same problem as this Apache HTTP Client issue.

Of course, there would also need to be support for all this in the provider libraries. I haven't looked into it in details, but this should be feasible in general. The code that requires the use of an SSLEngine is rarely far away from other code where the requested host name is available. (As far as I'm aware, these are just hints, so the port number doesn't need to have a meaningful value in when using that constructor.)

This might involve a bit of refactoring, but it can be worth it. Although host name verification can technically be provided by other means, it's much more difficult for SNI.

(Another workaround is to use reflection and setName(...) on SSLEngineImpl, if and when available. Of course, this is not a clean workaround, and heavily depends on the engine's implementation details.)

@jfarcand

This comment has been minimized.

Copy link
Contributor

jfarcand commented Mar 26, 2014

@harbulot Pull request welcomed :-)

@wsargent

This comment has been minimized.

Copy link
Contributor

wsargent commented Apr 8, 2014

Pull request added.

@slandelle slandelle added this to the 2.0.0.Alpha1 milestone Jun 13, 2014

@slandelle slandelle self-assigned this Jun 13, 2014

@slandelle slandelle closed this in 4beb9c8 Jun 13, 2014

@slandelle slandelle modified the milestones: 1.9.0, 2.0.0.Alpha1 Jul 10, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment