All geek questions in one place

SSL + Java 8 + OpenJDK + SNI + HTTPClient = opt-out

I have code that has worked for a long time that receives data from web applications via HTTP. It uses Apache HTTPClient (v. 4.5.2) and works great for sites with and without SSL.

I recently tried using if for another site that uses SNI. Everything works fine on my Windows machine, but if I try to run it on an AWS EC2 Linux instance, I get a handshake error (due to SNI).

Here is what I am running:

Windows Java

  • Java version "1.8.0_101"
  • Java (TM) SE Runtime Environment (build 1.8.0_101-b13)
  • HotSpot (TM) Java Client Virtual Machine (build 25.101-b13, mixed mode, sharing)

AWS Linux Java

  • openjdk version "1.8.0_91"
  • OpenJDK Runtime Environment (Build 1.8.0_91-b14)
  • OpenJDK 64-bit server virtual machine (build 25.91-b14, mixed mode)

I'm not sure which component is ultimately responsible for the failure (Java 8, runtime, HTTPClient).

I saw this ( https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#SNIExtension ), but I'm not sure how to adapt this for HTTPClient. And besides, if I had to make changes to the code, why would it work on Windows?

Does anyone know what to do?

Edit : As expected, I looked at the jsse.enableSNIExtension property. This seemed wrong, because it looks like this is a way to disable SSL, and that is not what I want.

/ Windows, . Linux, , .

:

Windows - System.setProperty("jsse.enableSNIExtension", "false");
=================================================================

pool-1-thread-1, WRITE: TLSv1.2 Handshake, length = 189
pool-1-thread-1, READ: TLSv1.2 Alert, length = 2
pool-1-thread-1, RECV TLSv1.2 ALERT:  fatal, internal_error
pool-1-thread-1, called closeSocket()
pool-1-thread-1, handling exception: javax.net.ssl.SSLException: Received fatal alert: internal_error


Windows - System.setProperty("jsse.enableSNIExtension", "true");
================================================================

pool-1-thread-1, WRITE: TLSv1.2 Handshake, length = 215
pool-1-thread-1, READ: TLSv1.2 Handshake, length = 93
*** ServerHello, TLSv1.2


Linux - System.setProperty("jsse.enableSNIExtension", "true");
==============================================================

pool-1-thread-1, WRITE: TLSv1.2 Handshake, length = 143
pool-1-thread-1, READ: TLSv1.2 Alert, length = 2
pool-1-thread-1, RECV TLSv1.2 ALERT:  fatal, handshake_failure
pool-1-thread-1, called closeSocket()
pool-1-thread-1, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
+5
2

, , , -Djsse.enableSNIExtension=false, .

-1

Source: https://habr.com/ru/post/1650332/

More articles:


All Articles