drazenko
Reputation: 66
How to fetch HTTPS web resurce with HttpClient 4.5.2 & JDK 1.8 when server uses Server Name Indication (SNI) extension?
I can't fetch resources from SNI sites with HttpClient. URLs I am trying to fetch are: https://dabar.srce.hr/, https://www.lutrija.hr/cms/splash.
I get this error: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
As I understand the documentation it should work like this out of the box (and it works for non sni https sites):
url = "https://dabar.srce.hr/";
SSLContext sslContext = new SSLContextBuilder().loadTrustMaterial(null, new TrustStrategy() {
// trust all certificates
public boolean isTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
return true;
}
}).build();
SSLConnectionSocketFactory sslSF = new SSLConnectionSocketFactory(sslContext, NoopHostnameVerifier.INSTANCE);
CloseableHttpClient httpclient = HttpClients.custom().setSSLSocketFactory(sslSF).build();
HttpGet httpGet = new HttpGet(url);
CloseableHttpResponse response = httpclient.execute(httpGet);
System.out.println(response.getStatusLine().toString());
HttpEntity entity = response.getEntity();
System.out.println(EntityUtils.toString(entity));
I tried to explicitly enable SNIExtension:
System.setProperty("jsse.enableSNIExtension", "true");
I tried overriding SSLConnectionSocketFactory:
SSLConnectionSocketFactory sslSF = new SSLConnectionSocketFactory(sslContext, NoopHostnameVerifier.INSTANCE) {
String targetHost = "";
@Override
public Socket createLayeredSocket(Socket socket, String target, int port, HttpContext context)
throws IOException {
this.targetHost = target;
return super.createLayeredSocket(socket, target, port, context);
}
@Override
protected void prepareSocket(SSLSocket socket) throws IOException {
try {
PropertyUtils.setProperty(socket, "host", this.targetHost);
} catch (Exception ex) {
}
super.prepareSocket(socket);
}
@Override
public Socket connectSocket(int connectTimeout, Socket socket, HttpHost host, InetSocketAddress remoteAddress, InetSocketAddress localAddress, HttpContext context)
throws IOException {
if (socket instanceof SSLSocket) {
try {
PropertyUtils.setProperty(socket, "host", host.getHostName());
} catch (NoSuchMethodException e) {
} catch (IllegalAccessException e) {
} catch (InvocationTargetException e) {
}
}
return super.connectSocket(connectTimeout, socket, host, remoteAddress,
localAddress, context);
}
};
What am I missing?
Upvotes: 2
Views: 1542
Answers (1)
Holger
Reputation: 447
I ran into the same issue. This custom SSLConnectionSocketFactory fixed it for me:
public class TrustAllSslSocketFactory extends SSLConnectionSocketFactory {
static final HostnameVerifier ALL_HOSTNAME_VERIFIER = (String hostname, SSLSession session) -> true;
public TrustAllSslSocketFactory(SSLContext sslContext) {
super(sslContext, ALL_HOSTNAME_VERIFIER);
}
@Override
protected void prepareSocket(SSLSocket socket) throws IOException {
String hostName = socket.getInetAddress().getHostName();
SNIHostName sniHostName = new SNIHostName(hostName);
List<SNIServerName> serverNames = new ArrayList<>(1);
serverNames.add(sniHostName);
SSLParameters sslParameters = socket.getSSLParameters();
sslParameters.setServerNames(serverNames);
socket.setSSLParameters(sslParameters);
}
}
See http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#SNIExamples
Upvotes: 3
Related Questions
- How to enable SNI in HTTP request using Apache HTTPComponents HttpClient?
- Extended server_name (SNI Extension) not sent with jdk1.8.0 but send with jdk1.7.0
- SSL in HttpClient
- Java SNI unrecognized name
- TLS extension "Server Name Indication" (SNI): value not available on server side
- How Do We Enable SNI in HttpClient 4.4+ on Android?
- Apache HttpClient get server certificate
- In Java 8 can HttpsURLConnection be made to send server name indication (SNI)
- Server Name Indication (SNI) on Java
- Certificate chain different between HTTPSURLconnection and Apache (System) DefaultHttpClient