use of javax.net.ssl.SNIHostName in project service-proxy by membrane.
the class SSLExplorer method exploreSNIExt.
/*
* struct {
* NameType name_type;
* select (name_type) {
* case host_name: HostName;
* } name;
* } ServerName;
*
* enum {
* host_name(0), (255)
* } NameType;
*
* opaque HostName<1..2^16-1>;
*
* struct {
* ServerName server_name_list<1..2^16-1>
* } ServerNameList;
*/
private static List<SNIServerName> exploreSNIExt(ByteBuffer input, int extLen) throws IOException {
Map<Integer, SNIServerName> sniMap = new LinkedHashMap<Integer, SNIServerName>();
int remains = extLen;
if (extLen >= 2) {
// "server_name" extension in ClientHello
// length of server_name_list
int listLen = getInt16(input);
if (listLen == 0 || listLen + 2 != extLen) {
throw new SSLProtocolException("Invalid server name indication extension");
}
// 0x02: the length field of server_name_list
remains -= 2;
while (remains > 0) {
// name_type
int code = getInt8(input);
// length field of server name
int snLen = getInt16(input);
if (snLen > remains) {
throw new SSLProtocolException("Not enough data to fill declared vector size");
}
byte[] encoded = new byte[snLen];
input.get(encoded);
SNIServerName serverName;
switch(code) {
case StandardConstants.SNI_HOST_NAME:
if (encoded.length == 0) {
throw new SSLProtocolException("Empty HostName in server name indication");
}
serverName = new SNIHostName(encoded);
break;
default:
serverName = new UnknownServerName(code, encoded);
}
// check for duplicated server name type
if (sniMap.put(serverName.getType(), serverName) != null) {
throw new SSLProtocolException("Duplicated server name of type " + serverName.getType());
}
// NameType: 1 byte
remains -= encoded.length + 3;
// HostName length: 2 bytes
}
} else if (extLen == 0) {
// "server_name" extension in ServerHello
throw new SSLProtocolException("Not server name indication extension in client");
}
if (remains != 0) {
throw new SSLProtocolException("Invalid server name indication extension");
}
return Collections.<SNIServerName>unmodifiableList(new ArrayList<SNIServerName>(sniMap.values()));
}
use of javax.net.ssl.SNIHostName in project netty by netty.
the class SSLEngineTest method testUsingX509TrustManagerVerifiesHostname.
private void testUsingX509TrustManagerVerifiesHostname(SSLEngineTestParam param, boolean useSNI) throws Exception {
if (clientSslContextProvider() != null) {
// Not supported when using conscrypt
return;
}
String fqdn = "something.netty.io";
SelfSignedCertificate cert = new SelfSignedCertificate(fqdn);
clientSslCtx = wrapContext(param, SslContextBuilder.forClient().trustManager(new TrustManagerFactory(new TrustManagerFactorySpi() {
@Override
protected void engineInit(KeyStore keyStore) {
// NOOP
}
@Override
protected TrustManager[] engineGetTrustManagers() {
// Provide a custom trust manager, this manager trust all certificates
return new TrustManager[] { new X509TrustManager() {
@Override
public void checkClientTrusted(java.security.cert.X509Certificate[] x509Certificates, String s) {
// NOOP
}
@Override
public void checkServerTrusted(java.security.cert.X509Certificate[] x509Certificates, String s) {
// NOOP
}
@Override
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return EmptyArrays.EMPTY_X509_CERTIFICATES;
}
} };
}
@Override
protected void engineInit(ManagerFactoryParameters managerFactoryParameters) {
}
}, null, TrustManagerFactory.getDefaultAlgorithm()) {
}).sslContextProvider(clientSslContextProvider()).sslProvider(sslClientProvider()).build());
SSLEngine client = wrapEngine(clientSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT, "127.0.0.1", 1234));
SSLParameters sslParameters = client.getSSLParameters();
sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
if (useSNI) {
sslParameters.setServerNames(Collections.<SNIServerName>singletonList(new SNIHostName(fqdn)));
}
client.setSSLParameters(sslParameters);
serverSslCtx = wrapContext(param, SslContextBuilder.forServer(cert.certificate(), cert.privateKey()).sslContextProvider(serverSslContextProvider()).sslProvider(sslServerProvider()).build());
SSLEngine server = wrapEngine(serverSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT));
try {
handshake(param.type(), param.delegate(), client, server);
if (!useSNI) {
fail();
}
} catch (SSLException exception) {
if (useSNI) {
throw exception;
}
// expected as the hostname not matches.
} finally {
cleanupClientSslEngine(client);
cleanupServerSslEngine(server);
cert.delete();
}
}
use of javax.net.ssl.SNIHostName in project netty by netty.
the class Java8SslUtils method getSniHostNames.
static List<String> getSniHostNames(SSLParameters sslParameters) {
List<SNIServerName> names = sslParameters.getServerNames();
if (names == null || names.isEmpty()) {
return Collections.emptyList();
}
List<String> strings = new ArrayList<String>(names.size());
for (SNIServerName serverName : names) {
if (serverName instanceof SNIHostName) {
strings.add(((SNIHostName) serverName).getAsciiName());
} else {
throw new IllegalArgumentException("Only " + SNIHostName.class.getName() + " instances are supported, but found: " + serverName);
}
}
return strings;
}
use of javax.net.ssl.SNIHostName in project Conversations by siacs.
the class SSLSocketHelper method setHostnameNougat.
@RequiresApi(api = Build.VERSION_CODES.N)
private static void setHostnameNougat(final SSLSocket socket, final String hostname) {
final SSLParameters parameters = new SSLParameters();
parameters.setServerNames(Collections.singletonList(new SNIHostName(hostname)));
socket.setSSLParameters(parameters);
}
use of javax.net.ssl.SNIHostName in project mongo-java-driver by mongodb.
the class ServerTlsChannel method getServerNameIndication.
private Optional<SNIServerName> getServerNameIndication() throws IOException, EofException {
inEncrypted.prepare();
try {
int recordHeaderSize = readRecordHeaderSize();
while (inEncrypted.buffer.position() < recordHeaderSize) {
if (!inEncrypted.buffer.hasRemaining()) {
inEncrypted.enlarge();
}
// IO block
TlsChannelImpl.readFromChannel(underlying, inEncrypted.buffer);
}
((Buffer) inEncrypted.buffer).flip();
Map<Integer, SNIServerName> serverNames = TlsExplorer.explore(inEncrypted.buffer);
inEncrypted.buffer.compact();
SNIServerName hostName = serverNames.get(StandardConstants.SNI_HOST_NAME);
if (hostName != null && hostName instanceof SNIHostName) {
SNIHostName sniHostName = (SNIHostName) hostName;
return Optional.of(sniHostName);
} else {
return Optional.empty();
}
} finally {
inEncrypted.release();
}
}
Aggregations