How to set “jsse.enableSNIExtension” to false only for a single HTTPURLConnection?

╄→尐↘猪︶ㄣ 提交于 2019-12-08 07:06:36

问题


I currently have an application that would make HTTP post request to a lot of URLs. Some of the connections are failing with the following exception.

Exception in thread "main" javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name at sun.security.ssl.ClientHandshaker.handshakeAlert(ClientHandshaker.java:1410) at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2004) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1113) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)

. . .

Hence, I want to set “jsse.enableSNIExtension” to false only for specific connections which throw the above mentioned exception.

How do I do it on an HTTPsURLConnection/SSLSocket level?

Code

URL url = new URL("https://artofskinmd.localgiftcards.com/");
HttpURLConnection httpConnection = (HttpURLConnection) url.openConnection();

httpConnection.connect();

I am trying to find a way to change the SSLParameters for the HttpsURLConnection object. But I am unable to find any setSSLParameters() method for setting an empty server names list. I am not able to find anything online on setting SSLParameters for HttpURLConnection, SSLContext etc


回答1:


Obviously the site depends on SNI, otherwise it would not care about the name sent by the client in the SNI extension. This means that disabling the extension will probably not help, but instead you would then either get some handshake failure or some default site (and certificate) and probably not the site you have intended. To fix the problem you should not disable SNI but instead use the correct name, i.e. the name expected by the site.

Edit: This looks like both a bad server configuration together with a bug in Java7 and Java8. Access to the URL https://artofskinmd.localgiftcards.com/ will result in a unknown_name TLS alert warning which Java7 and Java8 wrongly consider fatal (same as the very old OpenSSL 0.9.8). Disabling SNI will actually help in this case, but there seems to be no way to disable SNI for a single HttpURLConnection object.




回答2:


See Java jar - no main manifest attribute

And this commit

https://github.com/Lekensteyn/OWASP-WebScarab/commit/8f2362eb021924cece9fb544f04bde5da7bfed4a



来源:https://stackoverflow.com/questions/32068009/how-to-set-jsse-enablesniextension-to-false-only-for-a-single-httpurlconnectio

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!