Java TLS:在客户端握手上禁用SNI

huangapple
go评论83阅读模式
英文:

Java TLS: Disable SNI on client handshake

问题

我正在尝试创建一个JVM HTTP客户端,它在客户端握手中不会发送server_name(长话短说,我正在模拟一个不支持SNI的旧系统)。

设置SSLParametersserverNames并不能起作用,我仍然可以在Wireshark中看到"Server Name Indication extension"。

fun run() {
    val keyStore = keyStore()
    val trustFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
    trustFactory.init(keyStore)
    val sslContext = SSLContext.getInstance("SSL")
    sslContext.init(null, trustFactory.trustManagers, null)

    val httpClient = HttpClient.newBuilder()
        .sslContext(sslContext)
        .sslParameters(sslContext.defaultSSLParameters.apply {
            serverNames = null
        })
        .build()

    val request = HttpRequest.newBuilder()
        .uri(URI.create("https://example.com/hello"))
        .GET()
        .build()

    httpClient.send(request, HttpResponse.BodyHandlers.ofString())
}

完整代码在这个Gist链接中。

我如何阻止客户端发送SNI扩展?

英文:

I'm trying to create a JVM HTTP client which will not send server_name in the Client Handshake (long story, but I'm simulating a legacy system which doesn't support SNI).

Setting the serverNames SSLParameters doesn't do the trick, I can still see the "Server Name Indication extension" in Wireshark.

fun run() {
    val keyStore = keyStore()
    val trustFactory =
        TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
    trustFactory.init(keyStore)
    val sslContext = SSLContext.getInstance("SSL")
    sslContext.init(null, trustFactory.trustManagers, null)

    val httpClient = HttpClient.newBuilder()
        .sslContext(sslContext)
        .sslParameters(sslContext.defaultSSLParameters.apply {
            serverNames = null
        })
        .build()

    val request = HttpRequest.newBuilder()
        .uri(URI.create("https://example.com/hello"))
        .GET()
        .build()

    httpClient.send(request, HttpResponse.BodyHandlers.ofString())
}

Full code in this gist.

How can I stop the client from sending the SNI extension?

答案1

得分: 1

如果您不介意该设置应用于整个JVM,尝试使用:

jsse.enableSNIExtension=false
英文:

If you don't mind the setting applying to the whole JVM, try

jsse.enableSNIExtension=false

huangapple
  • 本文由 发表于 2020年9月23日 18:01:56
  • 转载请务必保留本文链接:https://go.coder-hub.com/64025494.html
  • java
  • kotlin
  • ssl
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定