Skip to content

Consider using the host name in the SSLEngineFactory #513

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
harbulot opened this issue Mar 26, 2014 · 2 comments
Closed

Consider using the host name in the SSLEngineFactory #513

harbulot opened this issue Mar 26, 2014 · 2 comments
Assignees
@slandelle
Labels
Enhancement Netty
Milestone
1.9.0

Comments

@harbulot
Copy link

The SSLEngineFactory interface currently only has one method, SSLEngine newSSLEngine(), which cannot let the SSLEngine be created with a host name (see SSLEngine(String peerHost, int peerPort)).

Unfortunately, this prevents two useful features from being used:

  1. This would allow for an easy fix for issues SSL host name verification disabled by default #197 and SSL/TLS certificate verification disabled #352 (assuming Java 7+), but setting the endpoint identification algorithm (to use Java 7's X509ExtendedTrustManager):

    SSLParameters sslParams = new SSLParameters();
sslParams.setEndpointIdentificationAlgorithm("HTTPS");
sslEngine.setSSLParameters(sslParams);

    This can only be used if the SSLEngine is aware of the host name requested, which is normally be done by using the constructor with peerHost.

  2. This would allow for the Server Name Indication (SNI) extension to be used for servers that need it. Again, for SNI to be used, the SSLEngine needs to be aware of the name with which it's used. This is essentially the same problem as this Apache HTTP Client issue.

Of course, there would also need to be support for all this in the provider libraries. I haven't looked into it in details, but this should be feasible in general. The code that requires the use of an SSLEngine is rarely far away from other code where the requested host name is available. (As far as I'm aware, these are just hints, so the port number doesn't need to have a meaningful value in when using that constructor.)

This might involve a bit of refactoring, but it can be worth it. Although host name verification can technically be provided by other means, it's much more difficult for SNI.

(Another workaround is to use reflection and setName(...) on SSLEngineImpl, if and when available. Of course, this is not a clean workaround, and heavily depends on the engine's implementation details.)
@jfarcand
Copy link
Contributor

@harbulot Pull request welcomed :-)

@wsargent wsargent mentioned this issue Apr 8, 2014
Closed
@wsargent
Copy link
Contributor

wsargent commented Apr 8, 2014

Pull request added.

@slandelle slandelle added this to the 2.0.0.Alpha1 milestone Jun 13, 2014
@slandelle slandelle self-assigned this Jun 13, 2014
slandelle pushed a commit that referenced this issue Jul 10, 2014
Add host and port to SSLEngine, backport fix #513
300ba99
@slandelle slandelle modified the milestones: 1.9.0, 2.0.0.Alpha1 Jul 10, 2014
cs-workco pushed a commit to cs-workco/async-http-client that referenced this issue Apr 13, 2023
@dnadoba
Test HTTPClientRequest (AsyncHttpClient#513)
cc17c9c 
* test `HTTPClientRequest.Prepared` and `HTTPClientRequest.Body`

* add scheme and headers tests

* fix tests
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@slandelle slandelle

Labels
Enhancement Netty
Projects
None yet
Milestone
1.9.0
Development

Successfully merging a pull request may close this issue.

Add host and port to SSLEngineFactory wsargent/async-http-client
4 participants
@jfarcand @wsargent @harbulot @slandelle