Re: SNI not sent with Java 22+ using java.net.http.HttpClient.Builder#sslParameters

Mon, 25 Nov 2024 00:49:34 -0800 

Hello Nicolas,

On 25/11/24 2:05 pm, Nicolas Henneaux wrote:

Hi Jaikiran,

For unknown reason, I have not received your reply.
Not sure what happened but here's my previous reply https://mail.openjdk.org/pipermail/net-dev/2024-November/024726.html.
The issue I have is SslParameters#ServerNames is now overridden by an empty list as the IP is not detected as a valid name.
The RFC-6066 section 3 https://www.rfc-editor.org/rfc/rfc6066#section-3 which specifies the Server Name Indication (SNI) semantics, explicitly states that IP addresses aren't allowed as SNI values: 

    Currently, the only server names supported are DNS hostnames
    ...
    Literal IPv4 and IPv6 addresses are not permitted in "HostName".
This pull request reproduced the issue https://github.com/nhenneaux/resilient-httpclient/pull/68. 

I'll take a deeper look at that test case later today. Thank you for that.

-Jaikiran
This would fix the issue by merging the detected hostname with the configured list of server names https://github.com/openjdk/jdk/pull/22211/files. Perhaps it is better to only use the configuration instead of detected name in such case? 

I hope it clarifies the issue I have.

Best regards,

Nicolas
On Nov 18, 2024, at 5:46 PM, Nicolas Henneaux <nico...@henneaux.io> wrote: 


Hi Daniel,

Thanks for your answer!
I know it is not supported hence I have built some years ago a library around HttpClient to do that. 
https://github.com/nhenneaux/resilient-httpclient
I made a pull request with the fix I would need to be applied https://github.com/openjdk/jdk/pull/22211/files.
I think it is a regression introduced in Java22 since configured SslParameters#ServerNames is now discarded in favour of the HTTP hostname which is not valid if the hostname is an IP. 

Best regards,

Nicolas
On Nov 18, 2024, at 5:40 PM, Daniel Fuchs <daniel.fu...@oracle.com> wrote: 


Hi Nicolas,

If I understand correctly, you would like to be able to select which
IP address is used when connecting to a host that has several
IP addresses.

This functionality is currently not supported by the HttpClient.

best regards,

-- daniel

On 18/11/2024 15:56, Nicolas Henneaux wrote:
In the library, I force the IP in the HTTP request to enforce the target 
IP keeping the HTTP host header and SNI aligned with the actual value.
The detected SNI is then empty, is it possible to support both detected 
and specified SNI?

Reply via email to