I see no evidence of SNI not working:
try (final CloseableHttpAsyncClient client = HttpAsyncClients.custom()
.build()) {
client.start();
final HttpHost endpoint = new HttpHost("https",
InetAddress.getByName("www.google.com"), "www.google.ch", 443);
final HttpClientContext clientContext = HttpClientContext.create();
final SimpleHttpRequest request = SimpleRequestBuilder.get()
.setPath("/")
.build();
System.out.println("Executing request " + request);
final Future<SimpleHttpResponse> future = client.execute(
endpoint,
SimpleRequestProducer.create(request),
SimpleResponseConsumer.create(),
null,
clientContext,
new FutureCallback<SimpleHttpResponse>() {
@Override
public void completed(final SimpleHttpResponse response) {
System.out.println(request + "->" + new
StatusLine(response));
final SSLSession sslSession = clientContext.getSSLSession();
if (sslSession != null) {
System.out.println("SSL protocol " +
sslSession.getProtocol());
System.out.println("SSL cipher suite " +
sslSession.getCipherSuite());
}
System.out.println(response.getBody());
}
@Override
public void failed(final Exception ex) {
System.out.println(request + "->" + ex);
}
@Override
public void cancelled() {
System.out.println(request + " cancelled");
}
});
future.get();
System.out.println("Shutting down");
client.close(CloseMode.GRACEFUL);
}
Executing request GET /
2023-08-12 11:11:53,809 DEBUG
[main][org.apache.hc.client5.http.impl.async.InternalAbstractHttpAsyncClient]
ex-0000000001 preparing request execution
2023-08-12 11:11:53,817 DEBUG
[main][org.apache.hc.client5.http.impl.async.AsyncProtocolExec] ex-0000000001
target auth state: UNCHALLENGED
2023-08-12 11:11:53,817 DEBUG
[main][org.apache.hc.client5.http.impl.async.AsyncProtocolExec] ex-0000000001
proxy auth state: UNCHALLENGED
2023-08-12 11:11:53,819 DEBUG
[main][org.apache.hc.client5.http.impl.async.AsyncConnectExec] ex-0000000001
acquiring connection with route {s}->https://www.google.ch:443
2023-08-12 11:11:53,819 DEBUG
[main][org.apache.hc.client5.http.impl.async.InternalHttpAsyncClient]
ex-0000000001 acquiring endpoint (3 MINUTES)
2023-08-12 11:11:53,821 DEBUG
[main][org.apache.hc.client5.http.impl.nio.PoolingAsyncClientConnectionManager]
ex-0000000001 endpoint lease request (3 MINUTES) [route:
{s}->https://www.google.ch:443][total available: 0; route allocated: 0 of 5;
total allocated: 0 of 25]
2023-08-12 11:11:53,823 DEBUG
[main][org.apache.hc.client5.http.impl.nio.PoolingAsyncClientConnectionManager]
ex-0000000001 endpoint leased [route: {s}->https://www.google.ch:443][total
available: 0; route allocated: 1 of 5; total allocated: 1 of 25]
2023-08-12 11:11:53,824 DEBUG
[main][org.apache.hc.client5.http.impl.nio.PoolingAsyncClientConnectionManager]
ex-0000000001 acquired ep-0000000001
2023-08-12 11:11:53,824 DEBUG
[main][org.apache.hc.client5.http.impl.async.InternalHttpAsyncClient]
ex-0000000001 acquired endpoint ep-0000000001
2023-08-12 11:11:53,824 DEBUG
[main][org.apache.hc.client5.http.impl.async.InternalHttpAsyncClient]
ep-0000000001 connecting endpoint (null)
2023-08-12 11:11:53,825 DEBUG
[main][org.apache.hc.client5.http.impl.nio.PoolingAsyncClientConnectionManager]
ep-0000000001 connecting endpoint to https://www.google.ch:443 (3 MINUTES)
2023-08-12 11:11:53,825 DEBUG
[main][org.apache.hc.client5.http.impl.nio.MultihomeIOSessionRequester]
www.google.ch:443 connecting null to www.google.com/142.250.184.68:443 (3
MINUTES)
2023-08-12 11:11:53,890 DEBUG
[httpclient-dispatch-1][org.apache.hc.client5.http.impl.nio.DefaultManagedAsyncClientConnection]
c-0000000000 start TLS
2023-08-12 11:11:53,904 DEBUG
[httpclient-dispatch-1][org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy]
Enabled protocols: [TLSv1.2]
2023-08-12 11:11:53,904 DEBUG
[httpclient-dispatch-1][org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy]
Enabled cipher suites:[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
2023-08-12 11:11:53,904 DEBUG
[httpclient-dispatch-1][org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy]
Starting handshake (3 MINUTES)
javax.net.ssl|FINE|0D|httpclient-dispatch-1|2023-08-12 11:11:53.917
CEST|SSLExtensions.java:260|Ignore, context unavailable extension:
status_request
javax.net.ssl|WARNING|0D|httpclient-dispatch-1|2023-08-12 11:11:53.920
CEST|SignatureScheme.java:297|Signature algorithm, ed25519, is not supported by
the underlying providers
javax.net.ssl|WARNING|0D|httpclient-dispatch-1|2023-08-12 11:11:53.920
CEST|SignatureScheme.java:297|Signature algorithm, ed448, is not supported by
the underlying providers
javax.net.ssl|FINE|0D|httpclient-dispatch-1|2023-08-12 11:11:53.923
CEST|SSLExtensions.java:260|Ignore, context unavailable extension:
status_request_v2
javax.net.ssl|FINE|0D|httpclient-dispatch-1|2023-08-12 11:11:53.923
CEST|SSLExtensions.java:260|Ignore, context unavailable extension:
renegotiation_info
javax.net.ssl|FINE|0D|httpclient-dispatch-1|2023-08-12 11:11:53.925
CEST|ClientHello.java:575|Produced ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "03 B9 1C 75 11 97 C0 7C A5 E2 C0 CB 37 B7 6A 27 15
B9 BB 64 62 0A 10 BE B2 47 A2 17 3A 0F 59 8C",
"session id" : "",
"cipher suites" : "[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C),
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B),
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030),
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F),
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F),
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3),
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E),
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2),
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024),
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028),
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023),
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027),
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B),
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A),
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067),
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040),
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E),
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032),
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D),
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031),
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026),
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A),
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025),
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029),
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A),
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014),
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009),
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013),
TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039),
TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038),
TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033),
TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032),
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005),
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F),
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004),
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E),
TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D),
TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C),
TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D),
TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035),
TLS_RSA_WITH_AES_128_CBC_SHA(0x002F),
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA(0xC008),
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA(0xC012),
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA(0x0016),
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA(0x0013),
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA(0xC003),
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA(0xC00D),
SSL_RSA_WITH_3DES_EDE_CBC_SHA(0x000A),
TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
"compression methods" : "00",
"extensions" : [
"server_name (0)": {
type=host_name (0), value=www.google.ch
},
...
2023-08-12 11:11:54,166 DEBUG
[httpclient-dispatch-1][org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy]
Secure session established
2023-08-12 11:11:54,166 DEBUG
[httpclient-dispatch-1][org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy]
negotiated protocol: TLSv1.2
2023-08-12 11:11:54,166 DEBUG
[httpclient-dispatch-1][org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy]
negotiated cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
2023-08-12 11:11:54,166 DEBUG
[httpclient-dispatch-1][org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy]
peer principal: CN=*.google.ch
2023-08-12 11:11:54,166 DEBUG
[httpclient-dispatch-1][org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy]
peer alternative names: [*.google.ch, google.ch]
2023-08-12 11:11:54,166 DEBUG
[httpclient-dispatch-1][org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy]
issuer principal: CN=GTS CA 1C3, O=Google Trust Services LLC, C=US
2023-08-12 11:11:54,168 DEBUG
[httpclient-dispatch-1][org.apache.hc.client5.http.impl.nio.PoolingAsyncClientConnectionManager]
ep-0000000001 connected c-0000000000
2023-08-12 11:11:54,168 DEBUG
[httpclient-dispatch-1][org.apache.hc.client5.http.impl.async.InternalHttpAsyncClient]
ep-0000000001 endpoint connected
2023-08-12 11:11:54,168 DEBUG
[httpclient-dispatch-1][org.apache.hc.client5.http.impl.async.AsyncConnectExec]
ex-0000000001 connected to target
2023-08-12 11:11:54,168 DEBUG
[httpclient-dispatch-1][org.apache.hc.client5.http.impl.async.AsyncConnectExec]
ex-0000000001 route fully established
2023-08-12 11:11:54,168 DEBUG
[httpclient-dispatch-1][org.apache.hc.client5.http.impl.async.HttpAsyncMainClientExec]
ex-0000000001 executing GET / HTTP/1.1
2023-08-12 11:11:54,169 DEBUG
[httpclient-dispatch-1][org.apache.hc.client5.http.impl.async.InternalHttpAsyncClient]
ep-0000000001 start execution ex-0000000001
2023-08-12 11:11:54,169 DEBUG
[httpclient-dispatch-1][org.apache.hc.client5.http.impl.nio.PoolingAsyncClientConnectionManager]
ep-0000000001 executing exchange ex-0000000001 over c-0000000000
On Fri, 2023-08-11 at 18:50 -0600, Shawn Heisey wrote:
> On 8/10/23 14:03, Petar Tahchiev wrote:
> > Hi Jochen,
> > I don't have 2 different SSL certificates.
> > I have no idea what SNI is but that seems to be the only
> > difference in the
> > log from curl and httpclient5.
>
> https://en.wikipedia.org/wiki/Server_Name_Indication
>
> Basically it's a feature of TLS that allows a client to send a hint
> to a
> server so it can decide which certificate to send. With HTTPS, the
> SNI
> value is typically the same as the Host header value that is later
> sent
> over the encrypted channel. With httpclient implementations, the SNI
> value is usually extracted from the URL that has been requested. So
> a
> request for "https://www.example.com/some/path"; would set the SNI and
> Host header to www.example.com.
>
> This issue seems to be a case where the SNI value is missing, or
> maybe
> sent or interpreted as the literal string "null".
>
> It seems odd that SNI could affect a server that doesn't have more
> than
> one certificate. Unless the server is deciding to not proceed with
> the
> connection at all because it doesn't have a certificate that matches
> the
> missing or incorrect SNI value.
>
> I have seen that things can often get fuzzy with Java software and
> TLS,
> because Sun wrote their own implementation of TLS for Java, and it
> sometimes does not behave exactly the same as other implementations.
> I'm not trying to say that their implementation is wrong, but it does
> behave differently than another implementation like openssl.
>
> I hope you can get the info you need to work around the difficulty.
>
> Thanks,
> Shawn
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
