Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8294170

HttpClient ignores/clobbers server names set on passed-in SSLParameters

XMLWordPrintable

    • generic
    • generic

      A DESCRIPTION OF THE PROBLEM :
      We use SNI to request a specific certificate from the server. While the server name used in the SNI extension often matches the hostname in the request URI, it sometimes does not. For example, when testing that the server is correctly configured to present the appropriate certificate depending on the server name in the SNI extension. However, there does not appear to be any way to pass in the desired SNI SSL parameter to HttpClient, as the HttpClient always clobbers the server names we set with the hostname from the URI. Example source code below.

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      javax.net.ssl|DEBUG|10|main|2022-09-19 11:24:53.975 PDT|SSLCipher.java:466|jdk.tls.keyLimits: entry = AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472
      javax.net.ssl|DEBUG|21|HttpClient-1-Worker-0|2022-09-19 11:24:54.333 PDT|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_AES_256_GCM_SHA384 for TLSv1.2
      javax.net.ssl|DEBUG|21|HttpClient-1-Worker-0|2022-09-19 11:24:54.334 PDT|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_AES_128_GCM_SHA256 for TLSv1.2
      javax.net.ssl|DEBUG|21|HttpClient-1-Worker-0|2022-09-19 11:24:54.335 PDT|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_CHACHA20_POLY1305_SHA256 for TLSv1.2
      javax.net.ssl|INFO|21|HttpClient-1-Worker-0|2022-09-19 11:24:54.405 PDT|AlpnExtension.java:182|No available application protocols
      javax.net.ssl|DEBUG|21|HttpClient-1-Worker-0|2022-09-19 11:24:54.406 PDT|SSLExtensions.java:272|Ignore, context unavailable extension: application_layer_protocol_negotiation
      javax.net.ssl|DEBUG|21|HttpClient-1-Worker-0|2022-09-19 11:24:54.407 PDT|SessionTicketExtension.java:408|Stateless resumption supported
      javax.net.ssl|ALL|21|HttpClient-1-Worker-0|2022-09-19 11:24:54.410 PDT|SignatureScheme.java:412|Ignore disabled signature scheme: rsa_md5
      javax.net.ssl|DEBUG|21|HttpClient-1-Worker-0|2022-09-19 11:24:54.411 PDT|SSLExtensions.java:272|Ignore, context unavailable extension: cookie
      javax.net.ssl|DEBUG|21|HttpClient-1-Worker-0|2022-09-19 11:24:54.436 PDT|SSLExtensions.java:272|Ignore, context unavailable extension: renegotiation_info
      javax.net.ssl|DEBUG|21|HttpClient-1-Worker-0|2022-09-19 11:24:54.436 PDT|PreSharedKeyExtension.java:661|No session to resume.
      javax.net.ssl|DEBUG|21|HttpClient-1-Worker-0|2022-09-19 11:24:54.436 PDT|SSLExtensions.java:272|Ignore, context unavailable extension: pre_shared_key
      javax.net.ssl|DEBUG|21|HttpClient-1-Worker-0|2022-09-19 11:24:54.445 PDT|ClientHello.java:641|Produced ClientHello handshake message (
      "ClientHello": {
        "client version" : "TLSv1.2",
        "random" : "8ED9C64D36E1EC795966268A51E19587C8BF1474A5C27AC06E1DC4FCED998CF9",
        "session id" : "001687CC1230E1FE125B8F80E5376947DAD7A0D61213278C7F0A5315C55E2546",
        "cipher suites" : "[TLS_AES_256_GCM_SHA384(0x1302), TLS_AES_128_GCM_SHA256(0x1301), TLS_CHACHA20_POLY1305_SHA256(0x1303), TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA9), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA8), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCAA), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
        "compression methods" : "00",
        "extensions" : [
          "server_name (0)": {
            type=host_name (0), value=mycert.example.com
          },
          "status_request (5)": {
            "certificate status type": ocsp
            "OCSP status request": {
              "responder_id": <empty>
              "request extensions": {
                <empty>
              }
            }
          },
          "supported_groups (10)": {
            "versions": [x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
          },
          "ec_point_formats (11)": {
            "formats": [uncompressed]
          },
          "status_request_v2 (17)": {
            "cert status request": {
              "certificate status type": ocsp_multi
              "OCSP status request": {
                "responder_id": <empty>
                "request extensions": {
                  <empty>
                }
              }
            }
          },
          "extended_master_secret (23)": {
            <empty>
          },
          "session_ticket (35)": {
            <empty>
          },
          "signature_algorithms (13)": {
            "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, ed25519, ed448, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
          },
          "supported_versions (43)": {
            "versions": [TLSv1.3, TLSv1.2]
          },
          "psk_key_exchange_modes (45)": {
            "ke_modes": [psk_dhe_ke]
          },
          "signature_algorithms_cert (50)": {
            "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, ed25519, ed448, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
          },
          "key_share (51)": {
            "client_shares": [
              {
                "named group": x25519
                "key_exchange": {
                  0000: 18 3F C7 95 2E A3 2F C3 36 1E DD 30 D7 04 7C E6 .?..../.6..0....
                  0010: 40 2C 9F 7A 8D 89 72 88 CB 8B C2 56 36 B3 AE 7C @,.z..r....V6...
                }
              },
              {
                "named group": secp256r1
                "key_exchange": {
                  0000: 04 CF 35 5A 4A C8 32 C0 63 DC 3C 10 41 80 AC 2B ..5ZJ.2.c.<.A..+
                  0010: 70 92 5A 97 A0 C3 9E 3F D5 99 A2 C6 83 1D F9 1A p.Z....?........
                  0020: 5D B3 7E 14 A1 72 C9 A1 AE E7 53 9A 3A 66 5E 44 ]....r....S.:f^D
                  0030: ED C2 B0 98 87 BF 98 86 5B 7C 2E 94 E8 56 3E E3 ........[....V>.
                  0040: 60
                }
              },
            ]
          }
        ]
      }
      )
      ACTUAL -
      javax.net.ssl|DEBUG|10|main|2022-09-19 11:24:53.975 PDT|SSLCipher.java:466|jdk.tls.keyLimits: entry = AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472
      javax.net.ssl|DEBUG|21|HttpClient-1-Worker-0|2022-09-19 11:24:54.333 PDT|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_AES_256_GCM_SHA384 for TLSv1.2
      javax.net.ssl|DEBUG|21|HttpClient-1-Worker-0|2022-09-19 11:24:54.334 PDT|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_AES_128_GCM_SHA256 for TLSv1.2
      javax.net.ssl|DEBUG|21|HttpClient-1-Worker-0|2022-09-19 11:24:54.335 PDT|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_CHACHA20_POLY1305_SHA256 for TLSv1.2
      javax.net.ssl|INFO|21|HttpClient-1-Worker-0|2022-09-19 11:24:54.405 PDT|AlpnExtension.java:182|No available application protocols
      javax.net.ssl|DEBUG|21|HttpClient-1-Worker-0|2022-09-19 11:24:54.406 PDT|SSLExtensions.java:272|Ignore, context unavailable extension: application_layer_protocol_negotiation
      javax.net.ssl|DEBUG|21|HttpClient-1-Worker-0|2022-09-19 11:24:54.407 PDT|SessionTicketExtension.java:408|Stateless resumption supported
      javax.net.ssl|ALL|21|HttpClient-1-Worker-0|2022-09-19 11:24:54.410 PDT|SignatureScheme.java:412|Ignore disabled signature scheme: rsa_md5
      javax.net.ssl|DEBUG|21|HttpClient-1-Worker-0|2022-09-19 11:24:54.411 PDT|SSLExtensions.java:272|Ignore, context unavailable extension: cookie
      javax.net.ssl|DEBUG|21|HttpClient-1-Worker-0|2022-09-19 11:24:54.436 PDT|SSLExtensions.java:272|Ignore, context unavailable extension: renegotiation_info
      javax.net.ssl|DEBUG|21|HttpClient-1-Worker-0|2022-09-19 11:24:54.436 PDT|PreSharedKeyExtension.java:661|No session to resume.
      javax.net.ssl|DEBUG|21|HttpClient-1-Worker-0|2022-09-19 11:24:54.436 PDT|SSLExtensions.java:272|Ignore, context unavailable extension: pre_shared_key
      javax.net.ssl|DEBUG|21|HttpClient-1-Worker-0|2022-09-19 11:24:54.445 PDT|ClientHello.java:641|Produced ClientHello handshake message (
      "ClientHello": {
        "client version" : "TLSv1.2",
        "random" : "8ED9C64D36E1EC795966268A51E19587C8BF1474A5C27AC06E1DC4FCED998CF9",
        "session id" : "001687CC1230E1FE125B8F80E5376947DAD7A0D61213278C7F0A5315C55E2546",
        "cipher suites" : "[TLS_AES_256_GCM_SHA384(0x1302), TLS_AES_128_GCM_SHA256(0x1301), TLS_CHACHA20_POLY1305_SHA256(0x1303), TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA9), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA8), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCAA), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
        "compression methods" : "00",
        "extensions" : [
          "server_name (0)": {
            type=host_name (0), value=severundertest.example.com
          },
          "status_request (5)": {
            "certificate status type": ocsp
            "OCSP status request": {
              "responder_id": <empty>
              "request extensions": {
                <empty>
              }
            }
          },
          "supported_groups (10)": {
            "versions": [x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
          },
          "ec_point_formats (11)": {
            "formats": [uncompressed]
          },
          "status_request_v2 (17)": {
            "cert status request": {
              "certificate status type": ocsp_multi
              "OCSP status request": {
                "responder_id": <empty>
                "request extensions": {
                  <empty>
                }
              }
            }
          },
          "extended_master_secret (23)": {
            <empty>
          },
          "session_ticket (35)": {
            <empty>
          },
          "signature_algorithms (13)": {
            "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, ed25519, ed448, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
          },
          "supported_versions (43)": {
            "versions": [TLSv1.3, TLSv1.2]
          },
          "psk_key_exchange_modes (45)": {
            "ke_modes": [psk_dhe_ke]
          },
          "signature_algorithms_cert (50)": {
            "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, ed25519, ed448, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
          },
          "key_share (51)": {
            "client_shares": [
              {
                "named group": x25519
                "key_exchange": {
                  0000: 18 3F C7 95 2E A3 2F C3 36 1E DD 30 D7 04 7C E6 .?..../.6..0....
                  0010: 40 2C 9F 7A 8D 89 72 88 CB 8B C2 56 36 B3 AE 7C @,.z..r....V6...
                }
              },
              {
                "named group": secp256r1
                "key_exchange": {
                  0000: 04 CF 35 5A 4A C8 32 C0 63 DC 3C 10 41 80 AC 2B ..5ZJ.2.c.<.A..+
                  0010: 70 92 5A 97 A0 C3 9E 3F D5 99 A2 C6 83 1D F9 1A p.Z....?........
                  0020: 5D B3 7E 14 A1 72 C9 A1 AE E7 53 9A 3A 66 5E 44 ]....r....S.:f^D
                  0030: ED C2 B0 98 87 BF 98 86 5B 7C 2E 94 E8 56 3E E3 ........[....V>.
                  0040: 60
                }
              },
            ]
          }
        ]
      }
      )

      ---------- BEGIN SOURCE ----------
      import javax.net.ssl.SNIHostName;
      import javax.net.ssl.SSLParameters;
      import java.net.URI;
      import java.net.http.HttpClient;
      import java.net.http.HttpRequest;
      import java.net.http.HttpResponse;
      import java.nio.charset.StandardCharsets;
      import java.util.Collections;

      public class TestSni {

          public static void main(String[] args) throws Exception {
              System.setProperty("javax.net.debug", "ssl:handshake:verbose");

              SSLParameters sslParameters = new SSLParameters();
              sslParameters.setServerNames(Collections.singletonList(new SNIHostName("mycert.example.com")));
              HttpClient httpClient = HttpClient.newBuilder()
                      .sslParameters(sslParameters)
                      .build();
              HttpResponse<String> response = httpClient.send(HttpRequest.newBuilder()
                              .GET()
                              .uri(URI.create("https://severundertest.example.com/"))
                              .build(),
                      HttpResponse.BodyHandlers.ofString(StandardCharsets.UTF_8));
              String r = response.body();
              System.out.println(r);
          }

      }
      ---------- END SOURCE ----------

      FREQUENCY : always


        1. SDFTest.java
          0.6 kB

            jpai Jaikiran Pai
            webbuggrp Webbug Group
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: