Hi Colm, Thanks for information, it is exactly what I looking for. I will try to patch 3.1.7 with your fix.
Regards, Andrei. > -----Original Message----- > From: Colm O hEigeartaigh [mailto:[email protected]] > Sent: Donnerstag, 30. November 2017 11:18 > To: [email protected] > Subject: Re: SSL: SNI support in java 8 and CXF 3.1.7 > > Hi Andrei, > > It works in CXF 3.2.1 due to a fix I did which is also in CXF 3.1.10: > > https://issues.apache.org/jira/browse/CXF-7233 > > Is it an option for you to upgrade to CXF 3.1.10? > > Colm. > > On Wed, Nov 29, 2017 at 9:57 PM, Andrei Shakirin <[email protected]> > wrote: > > > Hi Colm, > > > > Perhaps you have an idea how to resolve the following issue: > > > > I try to setup SSL connection to server https://sandbox.tiramizoo.com/ > > using CXF Rest client (CXF 3.1.7, WebClient or JAX-RS Client). > > > > The code running under JDK 1.8.0_131 fails: > > Caused by: javax.net.ssl.SSLException: Received fatal alert: internal_error > > at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) > > at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) > > > > Looking for the reason, I discovered that the reason of the problem is > > missing SNI during handshake: > > > > Log of success case: > > ... > > Extension server_name, server_name: [type=host_name (0), value= > > sandbox.tiramizoo.com] > > > > [write] MD5 and SHA1 hashes: len = 191 > > 0000: 01 00 00 BB 03 03 5A 1E 8C 8D EB 9D 2A D8 DC E2 ......Z.....*... > > 0010: D5 63 9B 7C 07 10 D9 25 A3 51 F3 C1 2B 1F B0 1A .c.....%.Q..+... > > 0020: 3F 57 CA BA 1E E7 00 00 3A C0 23 C0 27 00 3C C0 ?W......:.#.'.<. > > 0030: 25 C0 29 00 67 00 40 C0 09 C0 13 00 2F C0 04 C0 %.).g.@...../... > > 0040: 0E 00 33 00 32 C0 2B C0 2F 00 9C C0 2D C0 31 00 ..3.2.+./...-.1. > > 0050: 9E 00 A2 C0 08 C0 12 00 0A C0 03 C0 0D 00 16 00 ................ > > 0060: 13 00 FF 01 00 00 58 00 0A 00 16 00 14 00 17 00 ......X......... > > 0070: 18 00 19 00 09 00 0A 00 0B 00 0C 00 0D 00 0E 00 ................ > > 0080: 16 00 0B 00 02 01 00 00 0D 00 16 00 14 06 03 06 ................ > > 0090: 01 05 03 05 01 04 03 04 01 04 02 02 03 02 01 02 ................ > > 00A0: 02 00 00 00 1A 00 18 00 00 15 73 61 6E 64 62 6F ..........sandbo > > 00B0: 78 2E 74 69 72 61 6D 69 7A 6F 6F 2E 63 6F 6D x.tiramizoo.com > > > > Log of problem case: > > ... > > [NO Extension server_name] > > [write] MD5 and SHA1 hashes: len = 203 > > 0000: 01 00 00 C7 03 03 5A 1E 8B 3F 08 56 DB C9 02 81 ......Z..?.V.... > > 0010: F7 6C F9 32 0F EC C3 1A 9A 7D 1C 04 C3 1B C7 D5 .l.2............ > > 0020: 6E 12 73 55 4C A3 00 00 64 C0 24 C0 28 00 3D C0 n.sUL...d.$.(.=. > > 0030: 26 C0 2A 00 6B 00 6A C0 0A C0 14 00 35 C0 05 C0 &.*.k.j.....5... > > 0040: 0F 00 39 00 38 C0 23 C0 27 00 3C C0 25 C0 29 00 ..9.8.#.'.<.%.). > > 0050: 67 00 40 C0 09 C0 13 00 2F C0 04 C0 0E 00 33 00 g.@...../.....3. > > 0060: 32 C0 2C C0 2B C0 30 00 9D C0 2E C0 32 00 9F 00 2.,.+.0.....2... > > 0070: A3 C0 2F 00 9C C0 2D C0 31 00 9E 00 A2 C0 08 C0 ../...-.1....... > > 0080: 12 00 0A C0 03 C0 0D 00 16 00 13 00 FF 01 00 00 ................ > > 0090: 3A 00 0A 00 16 00 14 00 17 00 18 00 19 00 09 00 :............... > > 00A0: 0A 00 0B 00 0C 00 0D 00 0E 00 16 00 0B 00 02 01 ................ > > 00B0: 00 00 0D 00 16 00 14 06 03 06 01 05 03 05 01 04 ................ > > 00C0: 03 04 01 04 02 02 03 02 01 02 02 ........... > > > > > > The problem is likely caused by bug in JDK > > https://bugs.openjdk.java.net/ > > browse/JDK-8072464 that prevents sending SNI if client registers > > custom HostnameVerifier. > > I can also reproduce it with simple Java HttpsURLConnection + > > registring HostnameVerifier. > > > > Interesting that result of SSL connection to > > https://sandbox.tiramizoo.com/ looks like: > > 1) failed with CXF 3.1.7 and JDK 1.8.0_131 > > 2) failed with simple HttpsURLConnection + registring HostnameVerifier > > and JDK 1.8.0_1311) > > 3) successful with CXF 3.2.1 and JDK 1.8.0_131 > > 4) successful with CXF 3.2.1 and JDK 1.8.0_151 > > 5) successful with simple HttpsURLConnection + registring > > HostnameVerifier and JDK 1.8.0_151 > > > > Questions: > > - any idea why this connection works with CXF 3.2.1 and JDK 1.8.0_131, > > despite of fact that CXF 3.2.1 registers the custom HostnameVerifier > > as well? > > - are there any workaround for CXF 3.1.7 and JDK 1.8.0_131? > > > > Small example to reproduce the issue is attached. > > > > Regards, > > Andrei. > > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com
