NEXUS-6838: "Rude" fix, adding SNI to TLS/HTTPS

This is the "rude" way as described in HTTPCLIENT-1119. Other solution is described in other comment, in short: create "plain" socket, and then wrap that socket with SSLSocket, but for that to work you'd need to have host dedicated SSLContext (for each HOST you access). SNI works only on Java7+
sonatype · Sep 9, 2014 · b581a1b · b581a1b
1 parent c9482be
commit b581a1b
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 0 deletions.
diff --git a/components/nexus-core/pom.xml b/components/nexus-core/pom.xml
@@ -395,6 +395,13 @@
       <artifactId>hibernate-validator</artifactId>
     </dependency>
 
+    <!-- Animal Sniffer -->
+    <dependency>
+      <groupId>org.codehaus.mojo</groupId>
+      <artifactId>animal-sniffer-annotations</artifactId>
+      <optional>true</optional>
+    </dependency>
+
     <!-- Testing -->
     <dependency>
       <groupId>org.sonatype.nexus</groupId>

diff --git a/...src/main/java/org/sonatype/nexus/internal/httpclient/NexusSSLConnectionSocketFactory.java b/...src/main/java/org/sonatype/nexus/internal/httpclient/NexusSSLConnectionSocketFactory.java
@@ -28,6 +28,8 @@
 import org.apache.http.conn.socket.LayeredConnectionSocketFactory;
 import org.apache.http.conn.ssl.X509HostnameVerifier;
 import org.apache.http.protocol.HttpContext;
+import org.codehaus.mojo.animal_sniffer.IgnoreJRERequirement;
+import sun.security.ssl.SSLSocketImpl;
 
 import static com.google.common.base.Preconditions.checkNotNull;
 
@@ -83,6 +85,7 @@ public Socket createSocket(final HttpContext context) throws IOException {
   }
 
   @Override
+  @IgnoreJRERequirement
   public Socket connectSocket(final int connectTimeout, final Socket socket, final HttpHost host,
                               final InetSocketAddress remoteAddress,
                               final InetSocketAddress localAddress, final HttpContext context) throws IOException
@@ -93,6 +96,14 @@ public Socket connectSocket(final int connectTimeout, final Socket socket, final
     if (localAddress != null) {
       sock.bind(localAddress);
     }
+    // NEXUS-6838: Server Name Indication support, a TLS feature that allows SSL
+    // "virtual hosting" (multiple certificates) over single IP address + port.
+    // Some CDN solutions requires this for HTTPS, as they choose certificate
+    // to use based on "expected" hostname that is being passed here below
+    // and is used during SSL handshake. Requires Java7+
+    if (sock instanceof SSLSocketImpl) {
+      ((SSLSocketImpl)sock).setHost(host.getHostName());
+    }
     try {
       sock.connect(remoteAddress, connectTimeout);
     }