Yes,
like I already mentioned it is not a SNI problem.
Because I was using PoolingAsyncClientConnectionManager I decided to
replace it with PoolingHttpClientConnectionManager and it worked. So the
problem is not in the SNI but in the PoolingAsyncClientConnectionManager. I
am following this guide exactly:
https://hc.apache.org/httpcomponents-client-5.2.x/migration-guide/migration-to-async-simple.html
and I don't know what to do - I always get
org.apache.hc.core5.util.TimeoutValueException.
На сб, 12.08.2023 г. в 12:16 ч. Oleg Kalnichevski <ol...@apache.org> написа:
> I see no evidence of SNI not working:
>
> try (final CloseableHttpAsyncClient client = HttpAsyncClients.custom()
> .build()) {
>
> client.start();
>
> final HttpHost endpoint = new HttpHost("https", InetAddress.getByName("
> www.google.com"), "www.google.ch", 443);
> final HttpClientContext clientContext = HttpClientContext.create();
>
> final SimpleHttpRequest request = SimpleRequestBuilder.get()
> .setPath("/")
> .build();
>
> System.out.println("Executing request " + request);
> final Future<SimpleHttpResponse> future = client.execute(
> endpoint,
> SimpleRequestProducer.create(request),
> SimpleResponseConsumer.create(),
> null,
> clientContext,
> new FutureCallback<SimpleHttpResponse>() {
>
> @Override
> public void completed(final SimpleHttpResponse response) {
> System.out.println(request + "->" + new
> StatusLine(response));
> final SSLSession sslSession =
> clientContext.getSSLSession();
> if (sslSession != null) {
> System.out.println("SSL protocol " +
> sslSession.getProtocol());
> System.out.println("SSL cipher suite " +
> sslSession.getCipherSuite());
> }
> System.out.println(response.getBody());
> }
>
> @Override
> public void failed(final Exception ex) {
> System.out.println(request + "->" + ex);
> }
>
> @Override
> public void cancelled() {
> System.out.println(request + " cancelled");
> }
>
> });
> future.get();
>
> System.out.println("Shutting down");
> client.close(CloseMode.GRACEFUL);
> }
>
> Executing request GET /
> 2023-08-12 11:11:53,809 DEBUG
> [main][org.apache.hc.client5.http.impl.async.InternalAbstractHttpAsyncClient]
> ex-0000000001 preparing request execution
> 2023-08-12 11:11:53,817 DEBUG
> [main][org.apache.hc.client5.http.impl.async.AsyncProtocolExec]
> ex-0000000001 target auth state: UNCHALLENGED
> 2023-08-12 11:11:53,817 DEBUG
> [main][org.apache.hc.client5.http.impl.async.AsyncProtocolExec]
> ex-0000000001 proxy auth state: UNCHALLENGED
> 2023-08-12 11:11:53,819 DEBUG
> [main][org.apache.hc.client5.http.impl.async.AsyncConnectExec]
> ex-0000000001 acquiring connection with route {s}->
> https://www.google.ch:443
> 2023-08-12 11:11:53,819 DEBUG
> [main][org.apache.hc.client5.http.impl.async.InternalHttpAsyncClient]
> ex-0000000001 acquiring endpoint (3 MINUTES)
> 2023-08-12 11:11:53,821 DEBUG
> [main][org.apache.hc.client5.http.impl.nio.PoolingAsyncClientConnectionManager]
> ex-0000000001 endpoint lease request (3 MINUTES) [route: {s}->
> https://www.google.ch:443][total available: 0; route allocated: 0 of 5;
> total allocated: 0 of 25]
> 2023-08-12 11:11:53,823 DEBUG
> [main][org.apache.hc.client5.http.impl.nio.PoolingAsyncClientConnectionManager]
> ex-0000000001 endpoint leased [route: {s}->https://www.google.ch:443][total
> available: 0; route allocated: 1 of 5; total allocated: 1 of 25]
> 2023-08-12 11:11:53,824 DEBUG
> [main][org.apache.hc.client5.http.impl.nio.PoolingAsyncClientConnectionManager]
> ex-0000000001 acquired ep-0000000001
> 2023-08-12 11:11:53,824 DEBUG
> [main][org.apache.hc.client5.http.impl.async.InternalHttpAsyncClient]
> ex-0000000001 acquired endpoint ep-0000000001
> 2023-08-12 11:11:53,824 DEBUG
> [main][org.apache.hc.client5.http.impl.async.InternalHttpAsyncClient]
> ep-0000000001 connecting endpoint (null)
> 2023-08-12 11:11:53,825 DEBUG
> [main][org.apache.hc.client5.http.impl.nio.PoolingAsyncClientConnectionManager]
> ep-0000000001 connecting endpoint to https://www.google.ch:443 (3 MINUTES)
> 2023-08-12 11:11:53,825 DEBUG
> [main][org.apache.hc.client5.http.impl.nio.MultihomeIOSessionRequester]
> www.google.ch:443 connecting null to www.google.com/142.250.184.68:443 (3
> MINUTES)
> 2023-08-12 11:11:53,890 DEBUG
> [httpclient-dispatch-1][org.apache.hc.client5.http.impl.nio.DefaultManagedAsyncClientConnection]
> c-0000000000 start TLS
> 2023-08-12 11:11:53,904 DEBUG
> [httpclient-dispatch-1][org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy]
> Enabled protocols: [TLSv1.2]
> 2023-08-12 11:11:53,904 DEBUG
> [httpclient-dispatch-1][org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy]
> Enabled cipher suites:[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
> TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
> TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
> TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
> TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
> TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
> TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
> TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
> TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
> TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384,
> TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256,
> TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,
> TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
> TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
> TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
> TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
> 2023-08-12 11:11:53,904 DEBUG
> [httpclient-dispatch-1][org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy]
> Starting handshake (3 MINUTES)
> javax.net.ssl|FINE|0D|httpclient-dispatch-1|2023-08-12 11:11:53.917
> CEST|SSLExtensions.java:260|Ignore, context unavailable extension:
> status_request
> javax.net.ssl|WARNING|0D|httpclient-dispatch-1|2023-08-12 11:11:53.920
> CEST|SignatureScheme.java:297|Signature algorithm, ed25519, is not
> supported by the underlying providers
> javax.net.ssl|WARNING|0D|httpclient-dispatch-1|2023-08-12 11:11:53.920
> CEST|SignatureScheme.java:297|Signature algorithm, ed448, is not supported
> by the underlying providers
> javax.net.ssl|FINE|0D|httpclient-dispatch-1|2023-08-12 11:11:53.923
> CEST|SSLExtensions.java:260|Ignore, context unavailable extension:
> status_request_v2
> javax.net.ssl|FINE|0D|httpclient-dispatch-1|2023-08-12 11:11:53.923
> CEST|SSLExtensions.java:260|Ignore, context unavailable extension:
> renegotiation_info
> javax.net.ssl|FINE|0D|httpclient-dispatch-1|2023-08-12 11:11:53.925
> CEST|ClientHello.java:575|Produced ClientHello handshake message (
> "ClientHello": {
> "client version" : "TLSv1.2",
> "random" : "03 B9 1C 75 11 97 C0 7C A5 E2 C0 CB 37 B7 6A 27
> 15 B9 BB 64 62 0A 10 BE B2 47 A2 17 3A 0F 59 8C",
> "session id" : "",
> "cipher suites" :
> "[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C),
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B),
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030),
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F),
> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F),
> TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3),
> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E),
> TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2),
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024),
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028),
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023),
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027),
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B),
> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A),
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067),
> TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040),
> TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E),
> TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032),
> TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D),
> TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031),
> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026),
> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A),
> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025),
> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029),
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A),
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014),
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009),
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013),
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039),
> TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038),
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033),
> TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032),
> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005),
> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F),
> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004),
> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E),
> TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D),
> TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C),
> TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D),
> TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C),
> TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F),
> TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA(0xC008),
> TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA(0xC012),
> SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA(0x0016),
> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA(0x0013),
> TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA(0xC003),
> TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA(0xC00D),
> SSL_RSA_WITH_3DES_EDE_CBC_SHA(0x000A),
> TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
> "compression methods" : "00",
> "extensions" : [
> "server_name (0)": {
> type=host_name (0), value=www.google.ch
> },
>
> ...
>
> 2023-08-12 11:11:54,166 DEBUG
> [httpclient-dispatch-1][org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy]
> Secure session established
> 2023-08-12 11:11:54,166 DEBUG
> [httpclient-dispatch-1][org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy]
> negotiated protocol: TLSv1.2
> 2023-08-12 11:11:54,166 DEBUG
> [httpclient-dispatch-1][org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy]
> negotiated cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> 2023-08-12 11:11:54,166 DEBUG
> [httpclient-dispatch-1][org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy]
> peer principal: CN=*.google.ch
> 2023-08-12 11:11:54,166 DEBUG
> [httpclient-dispatch-1][org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy]
> peer alternative names: [*.google.ch, google.ch]
> 2023-08-12 11:11:54,166 DEBUG
> [httpclient-dispatch-1][org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy]
> issuer principal: CN=GTS CA 1C3, O=Google Trust Services LLC, C=US
> 2023-08-12 11:11:54,168 DEBUG
> [httpclient-dispatch-1][org.apache.hc.client5.http.impl.nio.PoolingAsyncClientConnectionManager]
> ep-0000000001 connected c-0000000000
> 2023-08-12 11:11:54,168 DEBUG
> [httpclient-dispatch-1][org.apache.hc.client5.http.impl.async.InternalHttpAsyncClient]
> ep-0000000001 endpoint connected
> 2023-08-12 11:11:54,168 DEBUG
> [httpclient-dispatch-1][org.apache.hc.client5.http.impl.async.AsyncConnectExec]
> ex-0000000001 connected to target
> 2023-08-12 11:11:54,168 DEBUG
> [httpclient-dispatch-1][org.apache.hc.client5.http.impl.async.AsyncConnectExec]
> ex-0000000001 route fully established
> 2023-08-12 11:11:54,168 DEBUG
> [httpclient-dispatch-1][org.apache.hc.client5.http.impl.async.HttpAsyncMainClientExec]
> ex-0000000001 executing GET / HTTP/1.1
> 2023-08-12 11:11:54,169 DEBUG
> [httpclient-dispatch-1][org.apache.hc.client5.http.impl.async.InternalHttpAsyncClient]
> ep-0000000001 start execution ex-0000000001
> 2023-08-12 11:11:54,169 DEBUG
> [httpclient-dispatch-1][org.apache.hc.client5.http.impl.nio.PoolingAsyncClientConnectionManager]
> ep-0000000001 executing exchange ex-0000000001 over c-0000000000
>
>
>
>
>
>
> On Fri, 2023-08-11 at 18:50 -0600, Shawn Heisey wrote:
> > On 8/10/23 14:03, Petar Tahchiev wrote:
> > > Hi Jochen,
> > > I don't have 2 different SSL certificates.
> > > I have no idea what SNI is but that seems to be the only
> > > difference in the
> > > log from curl and httpclient5.
> >
> > https://en.wikipedia.org/wiki/Server_Name_Indication
> >
> > Basically it's a feature of TLS that allows a client to send a hint
> > to a
> > server so it can decide which certificate to send. With HTTPS, the
> > SNI
> > value is typically the same as the Host header value that is later
> > sent
> > over the encrypted channel. With httpclient implementations, the SNI
> > value is usually extracted from the URL that has been requested. So
> > a
> > request for "https://www.example.com/some/path"; would set the SNI and
> > Host header to www.example.com.
> >
> > This issue seems to be a case where the SNI value is missing, or
> > maybe
> > sent or interpreted as the literal string "null".
> >
> > It seems odd that SNI could affect a server that doesn't have more
> > than
> > one certificate. Unless the server is deciding to not proceed with
> > the
> > connection at all because it doesn't have a certificate that matches
> > the
> > missing or incorrect SNI value.
> >
> > I have seen that things can often get fuzzy with Java software and
> > TLS,
> > because Sun wrote their own implementation of TLS for Java, and it
> > sometimes does not behave exactly the same as other implementations.
> > I'm not trying to say that their implementation is wrong, but it does
> > behave differently than another implementation like openssl.
> >
> > I hope you can get the info you need to work around the difficulty.
> >
> > Thanks,
> > Shawn
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org
> > For additional commands, e-mail: httpclient-users-h...@hc.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org
> For additional commands, e-mail: httpclient-users-h...@hc.apache.org
>
>
--
Regards, Petar!
Karlovo, Bulgaria.
---
Public PGP Key at:
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x19658550C3110611
Key Fingerprint: A369 A7EE 61BC 93A3 CDFF 55A5 1965 8550 C311 0611
