Java TLS: Disable SNI on client handshake

Question

I'm trying to create a JVM HTTP client which will not send server_name in the Client Handshake (long story, but I'm simulating a legacy system which doesn't support SNI).

Setting the serverNames SSLParameters doesn't do the trick, I can still see the "Server Name Indication extension" in Wireshark.

fun run() {
    val keyStore = keyStore()
    val trustFactory =
        TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
    trustFactory.init(keyStore)
    val sslContext = SSLContext.getInstance("SSL")
    sslContext.init(null, trustFactory.trustManagers, null)

    val httpClient = HttpClient.newBuilder()
        .sslContext(sslContext)
        .sslParameters(sslContext.defaultSSLParameters.apply {
            serverNames = null
        })
        .build()

    val request = HttpRequest.newBuilder()
        .uri(URI.create("https://example.com/hello"))
        .GET()
        .build()

    httpClient.send(request, HttpResponse.BodyHandlers.ofString())
}

Full code in this gist.

How can I stop the client from sending the SNI extension?

have you tried setHostnameVerifier(NoopHostNameVerifier.Instance) or setHostnameVerifier(new SSLSkipSNIHostnameVerifier() — Sagar Kharab, Sep 23 '20 at 10:16
null means use the default (which is to send the name from the URL or open, unless the sysprop says no); to explicity send none [try setting an empty List](https://stackoverflow.com/questions/55903477/#56233394) — dave_thompson_085, Sep 23 '20 at 11:03
@KevinBoone you are correct. Please feel free to add that as the answer. — Niel de Wet, Sep 23 '20 at 12:32
@dave_thompson_085 unfortunate an empty list doesn't solve it. — Niel de Wet, Sep 23 '20 at 12:34

score 1 · Accepted Answer · answered Sep 23 '20 at 12:33

1

If you don't mind the setting applying to the whole JVM, try

jsse.enableSNIExtension=false

answered Sep 23 '20 at 12:33

Kevin Boone

4,092
1
11
15

Java TLS: Disable SNI on client handshake

1 Answers1

Linked