I see no evidence of SNI not working: try (final CloseableHttpAsyncClient client = HttpAsyncClients.custom() .build()) {
client.start(); final HttpHost endpoint = new HttpHost("https", InetAddress.getByName("www.google.com"), "www.google.ch", 443); final HttpClientContext clientContext = HttpClientContext.create(); final SimpleHttpRequest request = SimpleRequestBuilder.get() .setPath("/") .build(); System.out.println("Executing request " + request); final Future<SimpleHttpResponse> future = client.execute( endpoint, SimpleRequestProducer.create(request), SimpleResponseConsumer.create(), null, clientContext, new FutureCallback<SimpleHttpResponse>() { @Override public void completed(final SimpleHttpResponse response) { System.out.println(request + "->" + new StatusLine(response)); final SSLSession sslSession = clientContext.getSSLSession(); if (sslSession != null) { System.out.println("SSL protocol " + sslSession.getProtocol()); System.out.println("SSL cipher suite " + sslSession.getCipherSuite()); } System.out.println(response.getBody()); } @Override public void failed(final Exception ex) { System.out.println(request + "->" + ex); } @Override public void cancelled() { System.out.println(request + " cancelled"); } }); future.get(); System.out.println("Shutting down"); client.close(CloseMode.GRACEFUL); } Executing request GET / 2023-08-12 11:11:53,809 DEBUG [main][org.apache.hc.client5.http.impl.async.InternalAbstractHttpAsyncClient] ex-0000000001 preparing request execution 2023-08-12 11:11:53,817 DEBUG [main][org.apache.hc.client5.http.impl.async.AsyncProtocolExec] ex-0000000001 target auth state: UNCHALLENGED 2023-08-12 11:11:53,817 DEBUG [main][org.apache.hc.client5.http.impl.async.AsyncProtocolExec] ex-0000000001 proxy auth state: UNCHALLENGED 2023-08-12 11:11:53,819 DEBUG [main][org.apache.hc.client5.http.impl.async.AsyncConnectExec] ex-0000000001 acquiring connection with route {s}->https://www.google.ch:443 2023-08-12 11:11:53,819 DEBUG [main][org.apache.hc.client5.http.impl.async.InternalHttpAsyncClient] ex-0000000001 acquiring endpoint (3 MINUTES) 2023-08-12 11:11:53,821 DEBUG [main][org.apache.hc.client5.http.impl.nio.PoolingAsyncClientConnectionManager] ex-0000000001 endpoint lease request (3 MINUTES) [route: {s}->https://www.google.ch:443][total available: 0; route allocated: 0 of 5; total allocated: 0 of 25] 2023-08-12 11:11:53,823 DEBUG [main][org.apache.hc.client5.http.impl.nio.PoolingAsyncClientConnectionManager] ex-0000000001 endpoint leased [route: {s}->https://www.google.ch:443][total available: 0; route allocated: 1 of 5; total allocated: 1 of 25] 2023-08-12 11:11:53,824 DEBUG [main][org.apache.hc.client5.http.impl.nio.PoolingAsyncClientConnectionManager] ex-0000000001 acquired ep-0000000001 2023-08-12 11:11:53,824 DEBUG [main][org.apache.hc.client5.http.impl.async.InternalHttpAsyncClient] ex-0000000001 acquired endpoint ep-0000000001 2023-08-12 11:11:53,824 DEBUG [main][org.apache.hc.client5.http.impl.async.InternalHttpAsyncClient] ep-0000000001 connecting endpoint (null) 2023-08-12 11:11:53,825 DEBUG [main][org.apache.hc.client5.http.impl.nio.PoolingAsyncClientConnectionManager] ep-0000000001 connecting endpoint to https://www.google.ch:443 (3 MINUTES) 2023-08-12 11:11:53,825 DEBUG [main][org.apache.hc.client5.http.impl.nio.MultihomeIOSessionRequester] www.google.ch:443 connecting null to www.google.com/142.250.184.68:443 (3 MINUTES) 2023-08-12 11:11:53,890 DEBUG [httpclient-dispatch-1][org.apache.hc.client5.http.impl.nio.DefaultManagedAsyncClientConnection] c-0000000000 start TLS 2023-08-12 11:11:53,904 DEBUG [httpclient-dispatch-1][org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy] Enabled protocols: [TLSv1.2] 2023-08-12 11:11:53,904 DEBUG [httpclient-dispatch-1][org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy] Enabled cipher suites:[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] 2023-08-12 11:11:53,904 DEBUG [httpclient-dispatch-1][org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy] Starting handshake (3 MINUTES) javax.net.ssl|FINE|0D|httpclient-dispatch-1|2023-08-12 11:11:53.917 CEST|SSLExtensions.java:260|Ignore, context unavailable extension: status_request javax.net.ssl|WARNING|0D|httpclient-dispatch-1|2023-08-12 11:11:53.920 CEST|SignatureScheme.java:297|Signature algorithm, ed25519, is not supported by the underlying providers javax.net.ssl|WARNING|0D|httpclient-dispatch-1|2023-08-12 11:11:53.920 CEST|SignatureScheme.java:297|Signature algorithm, ed448, is not supported by the underlying providers javax.net.ssl|FINE|0D|httpclient-dispatch-1|2023-08-12 11:11:53.923 CEST|SSLExtensions.java:260|Ignore, context unavailable extension: status_request_v2 javax.net.ssl|FINE|0D|httpclient-dispatch-1|2023-08-12 11:11:53.923 CEST|SSLExtensions.java:260|Ignore, context unavailable extension: renegotiation_info javax.net.ssl|FINE|0D|httpclient-dispatch-1|2023-08-12 11:11:53.925 CEST|ClientHello.java:575|Produced ClientHello handshake message ( "ClientHello": { "client version" : "TLSv1.2", "random" : "03 B9 1C 75 11 97 C0 7C A5 E2 C0 CB 37 B7 6A 27 15 B9 BB 64 62 0A 10 BE B2 47 A2 17 3A 0F 59 8C", "session id" : "", "cipher suites" : "[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA(0xC008), TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA(0xC012), SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA(0x0016), SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA(0x0013), TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA(0xC003), TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA(0xC00D), SSL_RSA_WITH_3DES_EDE_CBC_SHA(0x000A), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]", "compression methods" : "00", "extensions" : [ "server_name (0)": { type=host_name (0), value=www.google.ch }, ... 2023-08-12 11:11:54,166 DEBUG [httpclient-dispatch-1][org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy] Secure session established 2023-08-12 11:11:54,166 DEBUG [httpclient-dispatch-1][org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy] negotiated protocol: TLSv1.2 2023-08-12 11:11:54,166 DEBUG [httpclient-dispatch-1][org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy] negotiated cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 2023-08-12 11:11:54,166 DEBUG [httpclient-dispatch-1][org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy] peer principal: CN=*.google.ch 2023-08-12 11:11:54,166 DEBUG [httpclient-dispatch-1][org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy] peer alternative names: [*.google.ch, google.ch] 2023-08-12 11:11:54,166 DEBUG [httpclient-dispatch-1][org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy] issuer principal: CN=GTS CA 1C3, O=Google Trust Services LLC, C=US 2023-08-12 11:11:54,168 DEBUG [httpclient-dispatch-1][org.apache.hc.client5.http.impl.nio.PoolingAsyncClientConnectionManager] ep-0000000001 connected c-0000000000 2023-08-12 11:11:54,168 DEBUG [httpclient-dispatch-1][org.apache.hc.client5.http.impl.async.InternalHttpAsyncClient] ep-0000000001 endpoint connected 2023-08-12 11:11:54,168 DEBUG [httpclient-dispatch-1][org.apache.hc.client5.http.impl.async.AsyncConnectExec] ex-0000000001 connected to target 2023-08-12 11:11:54,168 DEBUG [httpclient-dispatch-1][org.apache.hc.client5.http.impl.async.AsyncConnectExec] ex-0000000001 route fully established 2023-08-12 11:11:54,168 DEBUG [httpclient-dispatch-1][org.apache.hc.client5.http.impl.async.HttpAsyncMainClientExec] ex-0000000001 executing GET / HTTP/1.1 2023-08-12 11:11:54,169 DEBUG [httpclient-dispatch-1][org.apache.hc.client5.http.impl.async.InternalHttpAsyncClient] ep-0000000001 start execution ex-0000000001 2023-08-12 11:11:54,169 DEBUG [httpclient-dispatch-1][org.apache.hc.client5.http.impl.nio.PoolingAsyncClientConnectionManager] ep-0000000001 executing exchange ex-0000000001 over c-0000000000 On Fri, 2023-08-11 at 18:50 -0600, Shawn Heisey wrote: > On 8/10/23 14:03, Petar Tahchiev wrote: > > Hi Jochen, > > I don't have 2 different SSL certificates. > > I have no idea what SNI is but that seems to be the only > > difference in the > > log from curl and httpclient5. > > https://en.wikipedia.org/wiki/Server_Name_Indication > > Basically it's a feature of TLS that allows a client to send a hint > to a > server so it can decide which certificate to send. With HTTPS, the > SNI > value is typically the same as the Host header value that is later > sent > over the encrypted channel. With httpclient implementations, the SNI > value is usually extracted from the URL that has been requested. So > a > request for "https://www.example.com/some/path" would set the SNI and > Host header to www.example.com. > > This issue seems to be a case where the SNI value is missing, or > maybe > sent or interpreted as the literal string "null". > > It seems odd that SNI could affect a server that doesn't have more > than > one certificate. Unless the server is deciding to not proceed with > the > connection at all because it doesn't have a certificate that matches > the > missing or incorrect SNI value. > > I have seen that things can often get fuzzy with Java software and > TLS, > because Sun wrote their own implementation of TLS for Java, and it > sometimes does not behave exactly the same as other implementations. > I'm not trying to say that their implementation is wrong, but it does > behave differently than another implementation like openssl. > > I hope you can get the info you need to work around the difficulty. > > Thanks, > Shawn > > --------------------------------------------------------------------- > To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org > For additional commands, e-mail: httpclient-users-h...@hc.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org