我尝试使用TLS呼叫服务器,仅接受支持SNI的客户端。
我正在使用Java 7运行客户端:
$ java -version
java version "1.7.0_80"
Java(TM) SE Runtime Environment (build 1.7.0_80-b15)
Java HotSpot(TM) 64-Bit Server VM (build 24.80-b11, mixed mode)
默认情况下应该启用它,但是:
例如,来自我的日志:
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension renegotiation_info, renegotiated_connection: <empty>
***
虽然我希望找到
Extension server_name, server_name: [host_name: my.servername.com]
我尝试添加标记-Djsse.enableSNIExtension=true,但没有成功。
我正在使用Netty 4.0.37进行测试并获得此异常:
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLException: Received fatal alert: handshake_failure
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:442)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:248)
在Java 7 JVM上启用SNI的技巧是什么?
答案 0 :(得分:6)
问题出在Netty / SSL引擎配置上。
以前配置如下:
public void initChannel(SocketChannel ch) throws Exception {
SSLEngine sslEngine = SSLContext.getDefault().createSSLEngine();
sslEngine.setUseClientMode(true);
ch.pipeline()
.addLast("ssl", new SslHandler(sslEngine));
}
实际上,它在这样配置时工作,显式设置目标服务器名称:
public void initChannel(SocketChannel ch) throws Exception {
SslContext sslContext = SslContextBuilder.forClient().build();
ch.pipeline()
.addLast(
sslContext.newHandler(
ch.alloc(),
host,
port
)
);
}
使用此配置,应该在日志中(设置-Djavax.net.debug=all标志):
Extension server_name, server_name: [type=host_name (0), value=target.hostname.com]