Yes, like I already mentioned it is not a SNI problem. Because I was using PoolingAsyncClientConnectionManager I decided to replace it with PoolingHttpClientConnectionManager and it worked. So the problem is not in the SNI but in the PoolingAsyncClientConnectionManager. I am following this guide exactly: https://hc.apache.org/httpcomponents-client-5.2.x/migration-guide/migration-to-async-simple.html
and I don't know what to do - I always get org.apache.hc.core5.util.TimeoutValueException. На сб, 12.08.2023 г. в 12:16 ч. Oleg Kalnichevski <ol...@apache.org> написа: > I see no evidence of SNI not working: > > try (final CloseableHttpAsyncClient client = HttpAsyncClients.custom() > .build()) { > > client.start(); > > final HttpHost endpoint = new HttpHost("https", InetAddress.getByName(" > www.google.com"), "www.google.ch", 443); > final HttpClientContext clientContext = HttpClientContext.create(); > > final SimpleHttpRequest request = SimpleRequestBuilder.get() > .setPath("/") > .build(); > > System.out.println("Executing request " + request); > final Future<SimpleHttpResponse> future = client.execute( > endpoint, > SimpleRequestProducer.create(request), > SimpleResponseConsumer.create(), > null, > clientContext, > new FutureCallback<SimpleHttpResponse>() { > > @Override > public void completed(final SimpleHttpResponse response) { > System.out.println(request + "->" + new > StatusLine(response)); > final SSLSession sslSession = > clientContext.getSSLSession(); > if (sslSession != null) { > System.out.println("SSL protocol " + > sslSession.getProtocol()); > System.out.println("SSL cipher suite " + > sslSession.getCipherSuite()); > } > System.out.println(response.getBody()); > } > > @Override > public void failed(final Exception ex) { > System.out.println(request + "->" + ex); > } > > @Override > public void cancelled() { > System.out.println(request + " cancelled"); > } > > }); > future.get(); > > System.out.println("Shutting down"); > client.close(CloseMode.GRACEFUL); > } > > Executing request GET / > 2023-08-12 11:11:53,809 DEBUG > [main][org.apache.hc.client5.http.impl.async.InternalAbstractHttpAsyncClient] > ex-0000000001 preparing request execution > 2023-08-12 11:11:53,817 DEBUG > [main][org.apache.hc.client5.http.impl.async.AsyncProtocolExec] > ex-0000000001 target auth state: UNCHALLENGED > 2023-08-12 11:11:53,817 DEBUG > [main][org.apache.hc.client5.http.impl.async.AsyncProtocolExec] > ex-0000000001 proxy auth state: UNCHALLENGED > 2023-08-12 11:11:53,819 DEBUG > [main][org.apache.hc.client5.http.impl.async.AsyncConnectExec] > ex-0000000001 acquiring connection with route {s}-> > https://www.google.ch:443 > 2023-08-12 11:11:53,819 DEBUG > [main][org.apache.hc.client5.http.impl.async.InternalHttpAsyncClient] > ex-0000000001 acquiring endpoint (3 MINUTES) > 2023-08-12 11:11:53,821 DEBUG > [main][org.apache.hc.client5.http.impl.nio.PoolingAsyncClientConnectionManager] > ex-0000000001 endpoint lease request (3 MINUTES) [route: {s}-> > https://www.google.ch:443][total available: 0; route allocated: 0 of 5; > total allocated: 0 of 25] > 2023-08-12 11:11:53,823 DEBUG > [main][org.apache.hc.client5.http.impl.nio.PoolingAsyncClientConnectionManager] > ex-0000000001 endpoint leased [route: {s}->https://www.google.ch:443][total > available: 0; route allocated: 1 of 5; total allocated: 1 of 25] > 2023-08-12 11:11:53,824 DEBUG > [main][org.apache.hc.client5.http.impl.nio.PoolingAsyncClientConnectionManager] > ex-0000000001 acquired ep-0000000001 > 2023-08-12 11:11:53,824 DEBUG > [main][org.apache.hc.client5.http.impl.async.InternalHttpAsyncClient] > ex-0000000001 acquired endpoint ep-0000000001 > 2023-08-12 11:11:53,824 DEBUG > [main][org.apache.hc.client5.http.impl.async.InternalHttpAsyncClient] > ep-0000000001 connecting endpoint (null) > 2023-08-12 11:11:53,825 DEBUG > [main][org.apache.hc.client5.http.impl.nio.PoolingAsyncClientConnectionManager] > ep-0000000001 connecting endpoint to https://www.google.ch:443 (3 MINUTES) > 2023-08-12 11:11:53,825 DEBUG > [main][org.apache.hc.client5.http.impl.nio.MultihomeIOSessionRequester] > www.google.ch:443 connecting null to www.google.com/142.250.184.68:443 (3 > MINUTES) > 2023-08-12 11:11:53,890 DEBUG > [httpclient-dispatch-1][org.apache.hc.client5.http.impl.nio.DefaultManagedAsyncClientConnection] > c-0000000000 start TLS > 2023-08-12 11:11:53,904 DEBUG > [httpclient-dispatch-1][org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy] > Enabled protocols: [TLSv1.2] > 2023-08-12 11:11:53,904 DEBUG > [httpclient-dispatch-1][org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy] > Enabled cipher suites:[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, > TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, > TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, > TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, > TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, > TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, > TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, > TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, > TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, > TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, > TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, > TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, > TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, > TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, > TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, > TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, > TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, > TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, > TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, > TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, > TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, > SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, > TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, > TLS_EMPTY_RENEGOTIATION_INFO_SCSV] > 2023-08-12 11:11:53,904 DEBUG > [httpclient-dispatch-1][org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy] > Starting handshake (3 MINUTES) > javax.net.ssl|FINE|0D|httpclient-dispatch-1|2023-08-12 11:11:53.917 > CEST|SSLExtensions.java:260|Ignore, context unavailable extension: > status_request > javax.net.ssl|WARNING|0D|httpclient-dispatch-1|2023-08-12 11:11:53.920 > CEST|SignatureScheme.java:297|Signature algorithm, ed25519, is not > supported by the underlying providers > javax.net.ssl|WARNING|0D|httpclient-dispatch-1|2023-08-12 11:11:53.920 > CEST|SignatureScheme.java:297|Signature algorithm, ed448, is not supported > by the underlying providers > javax.net.ssl|FINE|0D|httpclient-dispatch-1|2023-08-12 11:11:53.923 > CEST|SSLExtensions.java:260|Ignore, context unavailable extension: > status_request_v2 > javax.net.ssl|FINE|0D|httpclient-dispatch-1|2023-08-12 11:11:53.923 > CEST|SSLExtensions.java:260|Ignore, context unavailable extension: > renegotiation_info > javax.net.ssl|FINE|0D|httpclient-dispatch-1|2023-08-12 11:11:53.925 > CEST|ClientHello.java:575|Produced ClientHello handshake message ( > "ClientHello": { > "client version" : "TLSv1.2", > "random" : "03 B9 1C 75 11 97 C0 7C A5 E2 C0 CB 37 B7 6A 27 > 15 B9 BB 64 62 0A 10 BE B2 47 A2 17 3A 0F 59 8C", > "session id" : "", > "cipher suites" : > "[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), > TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), > TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), > TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), > TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), > TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), > TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), > TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), > TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), > TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), > TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), > TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), > TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), > TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), > TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), > TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), > TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), > TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), > TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), > TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), > TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), > TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), > TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), > TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), > TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), > TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), > TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), > TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), > TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA(0xC008), > TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA(0xC012), > SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA(0x0016), > SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA(0x0013), > TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA(0xC003), > TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA(0xC00D), > SSL_RSA_WITH_3DES_EDE_CBC_SHA(0x000A), > TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]", > "compression methods" : "00", > "extensions" : [ > "server_name (0)": { > type=host_name (0), value=www.google.ch > }, > > ... > > 2023-08-12 11:11:54,166 DEBUG > [httpclient-dispatch-1][org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy] > Secure session established > 2023-08-12 11:11:54,166 DEBUG > [httpclient-dispatch-1][org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy] > negotiated protocol: TLSv1.2 > 2023-08-12 11:11:54,166 DEBUG > [httpclient-dispatch-1][org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy] > negotiated cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 > 2023-08-12 11:11:54,166 DEBUG > [httpclient-dispatch-1][org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy] > peer principal: CN=*.google.ch > 2023-08-12 11:11:54,166 DEBUG > [httpclient-dispatch-1][org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy] > peer alternative names: [*.google.ch, google.ch] > 2023-08-12 11:11:54,166 DEBUG > [httpclient-dispatch-1][org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy] > issuer principal: CN=GTS CA 1C3, O=Google Trust Services LLC, C=US > 2023-08-12 11:11:54,168 DEBUG > [httpclient-dispatch-1][org.apache.hc.client5.http.impl.nio.PoolingAsyncClientConnectionManager] > ep-0000000001 connected c-0000000000 > 2023-08-12 11:11:54,168 DEBUG > [httpclient-dispatch-1][org.apache.hc.client5.http.impl.async.InternalHttpAsyncClient] > ep-0000000001 endpoint connected > 2023-08-12 11:11:54,168 DEBUG > [httpclient-dispatch-1][org.apache.hc.client5.http.impl.async.AsyncConnectExec] > ex-0000000001 connected to target > 2023-08-12 11:11:54,168 DEBUG > [httpclient-dispatch-1][org.apache.hc.client5.http.impl.async.AsyncConnectExec] > ex-0000000001 route fully established > 2023-08-12 11:11:54,168 DEBUG > [httpclient-dispatch-1][org.apache.hc.client5.http.impl.async.HttpAsyncMainClientExec] > ex-0000000001 executing GET / HTTP/1.1 > 2023-08-12 11:11:54,169 DEBUG > [httpclient-dispatch-1][org.apache.hc.client5.http.impl.async.InternalHttpAsyncClient] > ep-0000000001 start execution ex-0000000001 > 2023-08-12 11:11:54,169 DEBUG > [httpclient-dispatch-1][org.apache.hc.client5.http.impl.nio.PoolingAsyncClientConnectionManager] > ep-0000000001 executing exchange ex-0000000001 over c-0000000000 > > > > > > > On Fri, 2023-08-11 at 18:50 -0600, Shawn Heisey wrote: > > On 8/10/23 14:03, Petar Tahchiev wrote: > > > Hi Jochen, > > > I don't have 2 different SSL certificates. > > > I have no idea what SNI is but that seems to be the only > > > difference in the > > > log from curl and httpclient5. > > > > https://en.wikipedia.org/wiki/Server_Name_Indication > > > > Basically it's a feature of TLS that allows a client to send a hint > > to a > > server so it can decide which certificate to send. With HTTPS, the > > SNI > > value is typically the same as the Host header value that is later > > sent > > over the encrypted channel. With httpclient implementations, the SNI > > value is usually extracted from the URL that has been requested. So > > a > > request for "https://www.example.com/some/path" would set the SNI and > > Host header to www.example.com. > > > > This issue seems to be a case where the SNI value is missing, or > > maybe > > sent or interpreted as the literal string "null". > > > > It seems odd that SNI could affect a server that doesn't have more > > than > > one certificate. Unless the server is deciding to not proceed with > > the > > connection at all because it doesn't have a certificate that matches > > the > > missing or incorrect SNI value. > > > > I have seen that things can often get fuzzy with Java software and > > TLS, > > because Sun wrote their own implementation of TLS for Java, and it > > sometimes does not behave exactly the same as other implementations. > > I'm not trying to say that their implementation is wrong, but it does > > behave differently than another implementation like openssl. > > > > I hope you can get the info you need to work around the difficulty. > > > > Thanks, > > Shawn > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org > > For additional commands, e-mail: httpclient-users-h...@hc.apache.org > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org > For additional commands, e-mail: httpclient-users-h...@hc.apache.org > > -- Regards, Petar! Karlovo, Bulgaria. --- Public PGP Key at: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x19658550C3110611 Key Fingerprint: A369 A7EE 61BC 93A3 CDFF 55A5 1965 8550 C311 0611