Java TLS:在客户端握手上禁用SNI

huangapple go评论114阅读模式
英文:

Java TLS: Disable SNI on client handshake

问题

我正在尝试创建一个JVM HTTP客户端,它在客户端握手中不会发送server_name(长话短说,我正在模拟一个不支持SNI的旧系统)。

设置SSLParametersserverNames并不能起作用,我仍然可以在Wireshark中看到"Server Name Indication extension"。

  1. fun run() {
  2. val keyStore = keyStore()
  3. val trustFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
  4. trustFactory.init(keyStore)
  5. val sslContext = SSLContext.getInstance("SSL")
  6. sslContext.init(null, trustFactory.trustManagers, null)
  7. val httpClient = HttpClient.newBuilder()
  8. .sslContext(sslContext)
  9. .sslParameters(sslContext.defaultSSLParameters.apply {
  10. serverNames = null
  11. })
  12. .build()
  13. val request = HttpRequest.newBuilder()
  14. .uri(URI.create("https://example.com/hello"))
  15. .GET()
  16. .build()
  17. httpClient.send(request, HttpResponse.BodyHandlers.ofString())
  18. }

完整代码在这个Gist链接中。

我如何阻止客户端发送SNI扩展?

英文:

I'm trying to create a JVM HTTP client which will not send server_name in the Client Handshake (long story, but I'm simulating a legacy system which doesn't support SNI).

Setting the serverNames SSLParameters doesn't do the trick, I can still see the "Server Name Indication extension" in Wireshark.

  1. fun run() {
  2. val keyStore = keyStore()
  3. val trustFactory =
  4. TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
  5. trustFactory.init(keyStore)
  6. val sslContext = SSLContext.getInstance("SSL")
  7. sslContext.init(null, trustFactory.trustManagers, null)
  8. val httpClient = HttpClient.newBuilder()
  9. .sslContext(sslContext)
  10. .sslParameters(sslContext.defaultSSLParameters.apply {
  11. serverNames = null
  12. })
  13. .build()
  14. val request = HttpRequest.newBuilder()
  15. .uri(URI.create("https://example.com/hello"))
  16. .GET()
  17. .build()
  18. httpClient.send(request, HttpResponse.BodyHandlers.ofString())
  19. }

Full code in this gist.

How can I stop the client from sending the SNI extension?

答案1

得分: 1

如果您不介意该设置应用于整个JVM,尝试使用:

  1. jsse.enableSNIExtension=false
英文:

If you don't mind the setting applying to the whole JVM, try

  1. jsse.enableSNIExtension=false

huangapple
  • 本文由 发表于 2020年9月23日 18:01:56
  • 转载请务必保留本文链接:https://go.coder-hub.com/64025494.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定