0

I'm using org.apache.http.ssl.SSLContextBuilder to provide my certificate/keys in my HTTPS requests, but I would like to customize my SNI in TLS Handshake and I'm not sure where I can do this

Does Apache Java Lib allow this customization?

I found https://hc.apache.org/httpcomponents-client-4.5.x/httpclient/apidocs/org/apache/http/conn/ssl/SSLConnectionSocketFactory.html and How to enable SNI in HTTP request using Apache HTTPComponents HttpClient? but both does not have anything about methods to set SNI in Apache Lib.

Olaf Kock
  • 46,930
  • 8
  • 59
  • 90
Bart
  • 251
  • 4
  • 10
  • The answer to the second question says you don't need to. You just have to use java 1.7 or upwards. – Gerard H. Pille Jan 17 '20 at 13:46
  • @GerardH.Pille Sure, I'm using java 1.8, so SNI is being sent. But is there a method to set Server Name Indication somehow? I mean, is this 'possible' using Apache HttpComponents? – Bart Jan 17 '20 at 14:05
  • It'll be based on the host name you're using. Would you want it to be something else? – Gerard H. Pille Jan 17 '20 at 14:44
  • Yes. Postman, for example, uses the header 'Host' to set the SNI and I'd like something like this in HttpComponents (in http components the SNI is set using the hostname in the URL) – Bart Jan 17 '20 at 17:43
  • The hostname in the URL is used to find the IP address of the server, and to set the host header and the SNI. The server may be hosting multiple domains, and it doesn't know which key to use to decode without the plain text SNI. Without it, it will use the first key available. Is the hostname in the URL not sufficient for you? – Gerard H. Pille Jan 17 '20 at 18:13
  • @GerardH.Pille I need to use "--resolve flag" in curl command to do the TLS handshake with the backend I need to make the request: curl -X GET https://example.domain.enterprise.com/api/v1/resource/1 -vva --cert certificate.pem --key private.key -k --resolve example.domain.enterprise.com:443:1.2.3.4 – Bart Jan 17 '20 at 19:01
  • Is the hostname in the URL not sufficient for you? Actually no, because the hostname is different of the SNI field in the TLS Handshake. Example in the curl: the hostname is example.domain.enterprise.com because my SNI field needs to be "example.domain.enterprise.com" to access 1.2.3.4 server – Bart Jan 17 '20 at 19:05
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/206169/discussion-between-bart-and-gerard-h-pille). – Bart Jan 17 '20 at 19:18
  • @GerardH.Pille In essence, when I run "openssl s_client -connect name1.com:443 -servername name1.com" I got ERROR and When I run "openssl s_client -connect endpoint.com:443 -servername another_name.com" I got SUCCESS =/ – Bart Jan 17 '20 at 19:21
  • 1
    You could put "example.domain.enterprise.com 1.2.3.4" in /etc/hosts. – Gerard H. Pille Jan 17 '20 at 22:17
  • @GeraldH.Pille Thanks! That will work for me. – Bart Jan 18 '20 at 19:51

0 Answers0