New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support TLS server_name extension (SNI) #830

Closed
adriancole opened this Issue May 14, 2014 · 3 comments

Comments

1 participant
@adriancole
Collaborator

adriancole commented May 14, 2014

SNI allows a TLS server to reliably support multiple hostnames on the same IP.

Specifying the server_name on the client is supported different ways, depending on Android, JRE 7, JRE 8. Typically, this requires carrying the original hostname in a way that isn't lost during DNS lookups.

Testing is tricky due to platform specifics and that server support was only added in Java 8. MockWebServer could support a platform-dependent option for testing SNI.

We should track our support and how we can test that it works, ad-hoc or otherwise.

@adriancole

This comment has been minimized.

Show comment
Hide comment
@adriancole

adriancole May 14, 2014

Collaborator

Using okcurl on OpenJDK 7 (which it is pinned to due to NPN), it seems SNI is working according to sni.velox.ch.

~/Development/okhttp master okcurl/target/okcurl-2.0.0-SNAPSHOT-jar-with-dependencies.jar https://bob.sni.velox.ch
--snip---
<p><strong>Great! Your client </strong>[okcurl/2.0.0-SNAPSHOT] <strong> 
sent the following TLS server name indication extension
(<a href="http://www.rfc-editor.org/rfc/rfc6066.txt">RFC 6066</a>)
in its ClientHello </strong>(negotiated protocol: TLSv1, cipher suite: ECDHE-RSA-AES256-SHA)<strong>:</strong></p>
<pre>  <strong>bob.sni.velox.ch</strong></pre>
--snip---
Collaborator

adriancole commented May 14, 2014

Using okcurl on OpenJDK 7 (which it is pinned to due to NPN), it seems SNI is working according to sni.velox.ch.

~/Development/okhttp master okcurl/target/okcurl-2.0.0-SNAPSHOT-jar-with-dependencies.jar https://bob.sni.velox.ch
--snip---
<p><strong>Great! Your client </strong>[okcurl/2.0.0-SNAPSHOT] <strong> 
sent the following TLS server name indication extension
(<a href="http://www.rfc-editor.org/rfc/rfc6066.txt">RFC 6066</a>)
in its ClientHello </strong>(negotiated protocol: TLSv1, cipher suite: ECDHE-RSA-AES256-SHA)<strong>:</strong></p>
<pre>  <strong>bob.sni.velox.ch</strong></pre>
--snip---
@adriancole

This comment has been minimized.

Show comment
Hide comment
@adriancole

adriancole May 14, 2014

Collaborator

So these work.

  • /Library/Java/JavaVirtualMachines/jdk1.7.0_51.jdk/Contents/Home/bin/java -jar okcurl/target/okcurl-2.0.0-SNAPSHOT-jar-with-dependencies.jar https://bob.sni.velox.ch
  • /Library/Java/JavaVirtualMachines/jdk1.8.0.jdk/Contents/Home/bin/java -jar okcurl/target/okcurl-2.0.0-SNAPSHOT-jar-with-dependencies.jar https://bob.sni.velox.ch

and the negative test fails as expected.

/Library/Java/JavaVirtualMachines/jdk1.7.0_51.jdk/Contents/Home/bin/java -Djsse.enableSNIExtension=false -jar okcurl/target/okcurl-2.0.0-SNAPSHOT-jar-with-dependencies.jar https://bob.sni.velox.ch
java.io.IOException: Hostname 'bob.sni.velox.ch' was not verified
    at com.squareup.okhttp.Connection.upgradeToTls(Connection.java:188)
    at com.squareup.okhttp.Connection.connect(Connection.java:151)
    at com.squareup.okhttp.OkHttpClient$1.connect(OkHttpClient.java:92)
    at com.squareup.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:273)
    at com.squareup.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:210)
    at com.squareup.okhttp.Call.getResponse(Call.java:203)
    at com.squareup.okhttp.Call.execute(Call.java:80)
    at com.squareup.okhttp.curl.Main.run(Main.java:143)
    at com.squareup.okhttp.curl.Main.main(Main.java:65)
Collaborator

adriancole commented May 14, 2014

So these work.

  • /Library/Java/JavaVirtualMachines/jdk1.7.0_51.jdk/Contents/Home/bin/java -jar okcurl/target/okcurl-2.0.0-SNAPSHOT-jar-with-dependencies.jar https://bob.sni.velox.ch
  • /Library/Java/JavaVirtualMachines/jdk1.8.0.jdk/Contents/Home/bin/java -jar okcurl/target/okcurl-2.0.0-SNAPSHOT-jar-with-dependencies.jar https://bob.sni.velox.ch

and the negative test fails as expected.

/Library/Java/JavaVirtualMachines/jdk1.7.0_51.jdk/Contents/Home/bin/java -Djsse.enableSNIExtension=false -jar okcurl/target/okcurl-2.0.0-SNAPSHOT-jar-with-dependencies.jar https://bob.sni.velox.ch
java.io.IOException: Hostname 'bob.sni.velox.ch' was not verified
    at com.squareup.okhttp.Connection.upgradeToTls(Connection.java:188)
    at com.squareup.okhttp.Connection.connect(Connection.java:151)
    at com.squareup.okhttp.OkHttpClient$1.connect(OkHttpClient.java:92)
    at com.squareup.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:273)
    at com.squareup.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:210)
    at com.squareup.okhttp.Call.getResponse(Call.java:203)
    at com.squareup.okhttp.Call.execute(Call.java:80)
    at com.squareup.okhttp.curl.Main.run(Main.java:143)
    at com.squareup.okhttp.curl.Main.main(Main.java:65)
@adriancole

This comment has been minimized.

Show comment
Hide comment
@adriancole

adriancole May 14, 2014

Collaborator

I'm going to close this off until we have an action to take.

Collaborator

adriancole commented May 14, 2014

I'm going to close this off until we have an action to take.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment